Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
dnsdist - Feature request: DNS-over-TLS dual certificate (RSA+EC) support. #6450
dnsdist should allow alternative certificates for different algorithms (think RSA) simultaneously.
Clients should be able to choose what they support (EC if supported, or RSA otherwise, for example). As it currently is, we can only either use RSA, or EC, but not both.
Many other pieces of software (nginx/Apache/Postfix/sendmail/Dovecot/Courier) have the ability to offer multiple certificates for different algorithms simultaneously. The client can then take its pick. I believe that dnsdist should follow suit.
I am not sure how greatly EC is supported in DNS-over-TLS clients, but considering it's a fairly new thing, I'm pretty sure that all clients support EC. Which, I admit, might make this less of a priority.