Join GitHub today
RFE: Certificate checking for Resolveds DNS over TLS feature #9397
Since systemd 239
This issue is for keeping track of certificate checking for DNS over TLS.
I would recommend to not a IP address hostname tuples.
I think there are two possibilities: either an IP address of the DNS server or the hostname of the upstream resolver are provided. The Baseline Requirements of the CA/Browser Forum allow certificates to be issued for IP addresses and hostnames, so both are possible. For example, Cloudflare's DNS resolvers have an X.509 certificate with the following Subject Alternative Name: DNS:*.cloudflare-dns.com, IP Address:126.96.36.199, IP Address:188.8.131.52, DNS:cloudflare-dns.com, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:1001.
If just the hostname is known, it might be required to resolve it first over unencrypted DNS or some form of unencrypted multicast DNS. Nonetheless, I don't think that it will cause major problems.
However, it might be harder to operate a DNS resolver that supports DNS over TLS and which has IP addresses which are made public over DHCP or IPv6 RA Options. It seems that not all CAs will issue certificates for IP addresses, in particular Let's Encrypt does not. RFC 8106 and RFC 3646 also just allow IP addresses and not hostnames. It gets particularly bad if the DNS resolvers just have link-local or private IP addresses. No CA will issue certificates for them.