nanog mailing list archives
Re: Certificates for DoT and DoH?
From: Bjørn Mork <bjorn () mork no>
Date: Mon, 28 Feb 2022 20:56:51 +0100
David Guo <david () xtom com> writes:
You don't need a certificate for your IP address if your DoT and DoH use domains.
Sorry if I'm slow, but isn't that a chicken-and-egg problem? We're going to provide this as an add-on to our standard ISP resolver service. Most clients will pick up the addresses from DHCP/DHCPv6. Very few are configuring DNS resolvers manually, and those who do are using other providers. Like you :-)
For certificates with IPv4 address, we use ZeroSSL / GoGetSSL, both are SubCA with Sectigo, which works fine.
Thanks. That's interesting. I didn't know ZeroSSL offered this. And GoGetSSL has better docs than most. But we can't run a resolver service without IPv6 in 2022. Did you ever get any explanation of this restriction? Shouldn't be much harder/different to validate an IPv6 address if you can validate an IPv4 address.
For IPv6 address, we used Digicert but it's too expensive, so we give up ☹
Hard to claim it's too expensive if no one else thinks it's worth offering a similar service...
Our DoT/DoH service is https://dns.sb/
Nice. Good to have more examples to look at. Bjørn
Current thread:
- Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- Re: Certificates for DoT and DoH? Bill Woodcock (Feb 28)
- Re: Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- Re: Certificates for DoT and DoH? John Todd (Feb 28)
- Re: Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- RE: Certificates for DoT and DoH? David Guo via NANOG (Feb 28)
- Re: Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- Re: Certificates for DoT and DoH? Bill Woodcock (Feb 28)