On Fri, 24 May 2019, Paul Hoffman wrote:
For the issue of validating the certificate on a DoT or DoH server, how
about this kludge: the client contacts the server by IP address, the
server returns a certificate. If it has an IP address and it matches,
swell, you're done. If it has a domain name, do a DNSSEC validated A
or AAAA lookup, and if you get an answer with the IP of the server,
it's OK. If it has multiple domain names, maybe look them all up
or maybe don't do that.
That is possible, but outside the scope of this document. That is, the same
would be true for *any* HTTPS client that gets a certificate with an IP address
in the certificate but not a name that it likes.
I was more thinking of it for DoT. There's too much intertia in https to
change anything there.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
