New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support DoT (DNS over TLS) for Recursive Nameservers #4153
Comments
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
would love to see this as well. Ideally would like to redirect all :53 traffic to my router, but need external DNS for cert-manager. |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
Something sort-of similar (DoH) is being worked on in this PR: #5003 If that landed, would it solve your issues? (I note you say you'd actually prefer DoH to DoT) |
I think that would satisfy this request. |
Issues go stale after 90d of inactivity. |
waiting on #5003 /remove-lifecycle stale |
Issues go stale after 90d of inactivity. |
still waiting on #5003 /remove-lifecycle stale |
Issues go stale after 90d of inactivity. |
#5003 is still an open thing /remove-lifecycle stale |
Note to anyone following this thread: @FlorianLiebhart and I are actively working on #5003. I feel I have a good case to show the other maintainers to convince them that DNS-over-HTTPS with the JSON protocol makes sense to be implemented right into cert-manager. |
Issues go stale after 90d of inactivity. |
can confirm DoH is now supported for |
Is your feature request related to a problem? Please describe.
When using split-horizon DNS or when a recursive resolver is not available, external recursive nameservers are recommended for use, see #2428 and #2143. Only UDP and TCP nameservers are supported, while neither DoH nor DoT are supported.
Describe the solution you'd like
Allow support for DNS over TLS. DoT is supported via miekg/dns#300. Specify using:
DNS over HTTPS is preferred, but DoH support was removed due to miekg/dns#800. Would specify using:
Describe alternatives you've considered
Additional context
TCP and UDP are only supported per
&dns.Client{Net: "udp", Timeout: DNSTimeout}
and&dns.Client{Net: "tcp", Timeout: DNSTimeout}
: https://github.com/jetstack/cert-manager/blob/59c2a2d9f410e49cd9c43890e22fcc922655144a/pkg/issuer/acme/dns/util/wait.go#L160-L190I brute-forced many options thinking I missed something in the code, all failed:
Environment details (remove if not applicable):
/kind feature
The text was updated successfully, but these errors were encountered: