[getdns-users] client authentication

A. Schulze sca at andreasschulze.de
Mon Apr 10 15:38:19 UTC 2017


Hello,

as a client I could now query a TLS aware Resolver via DNS-over-TLS. I could prove to talk to the right server by checking the pin.

$ getdns_query -s yeti-ns.datev.net aaaa -l L -m -K 'pin-sha256="QFWn+jgr2FfkRjCw8J77QJbChem3FUGwi9Ntp67SnVg="' @2a00:e50:f15c:1000::2:53
...
Response code was: GOOD. Status was: At least one response was returned

So far so good. But from the resolver operators view I like to know "who is my client?"
Usually resolver aren't run to serve anybody (like 8.8.8.8 does) but are limited to answer requests from a trusted network only.
With TLS it may be an option to limit the service to clients presenting a certificate from my own CA.
like in the "Webworld" where it's simply a client certificate based authentication+authorization.

Does DNS-over-TLS offer a similar setup?

Andreas



More information about the Users mailing list