Use encrypted DNS with IP address
Hi,
Recently, when I checked the digital certificate on Firefox, I found that some public encrypted DNS servers can use the IP address directly, without going through the hostname.
I suggest the idea of adding the NextDNS server IP address in the digital certificate.
This will connect directly to the NextDNS server without resolving the dns.nextdns.io domain name. For example:
tls://45.90.28.0
quic://45.90.28.0
https://45.90.28.0/
Like Google DNS, OpenDNS, Quad9
tls://8.8.8.8
tls://9.9.9.11
tls://208.67.222.222
https://8.8.8.8/dns-query
https://9.9.9.11/dns-query
https://208.67.222.222/dns-query
Domain name in NextDNS digital certificate
Google DNS, OpenDNS and Quad9 digital certificates also have IP addresses
Hopefully, this idea gets noticed. Thanks!
Reference:
https://datatracker.ietf.org/doc/html/rfc5280
https://support.globalsign.com/ssl/general-ssl/securing-public-ip-address-ssl-certificates
https://cabforum.org/working-groups/server/guidance-ip-addresses-certificates/
5 replies
-
This would miss the profile id. In order to embed the profile id with IPv6 or even allow link IP with IPv4, it would require an extremely large number of certificates. CA allowing IP certificates are not common and generally require extra steps. The number of certificates to manage and the CA limitations are making this idea mostly impossible and overly expensive for limited benefits.
Content aside
-
5
Likes
- 1 mth agoLast active
- 5Replies
- 369Views
-
3
Following