Hi,

Just to add to your Ars link, we wrote up some comments about the situation from a Cloudflare perspective over the past couple of days, and maybe that's also of interest:


I will encourage our people to read your draft. 


Joe

On 5 Sep 2025, at 07:52, Lanlan Pan <[email protected]> wrote:


Greetings All,


This draft describes the Certificate Transparency (CT) information of the DNS resolver.

It adds a new DNS Resolver Information Key (Follow RFC9606): CT.

- CT=1  indicates that the certificate of the encrypted DNS resolver contains embedded SCTs.

- CT=2  indicates that the encrypted DNS resolver supports the transparency_info TLS extension.

The background certificate hijacking issue: https://arstechnica.com/security/2025/09/mis-issued-certificates-for-1-1-1-1-dns-service-pose-a-threat-to-the-internet/


Best Regards,
潘蓝兰(Pan Lanlan)


---------- Forwarded message ---------
发件人: <[email protected]>
Date: 2025年9月5日周五 13:35
Subject: New Version Notification for draft-pan-dnsop-ct-info-of-dns-resolver-00.txt
To: Lanlan Pan <[email protected]>


A new version of Internet-Draft draft-pan-dnsop-ct-info-of-dns-resolver-00.txt
has been successfully submitted by Lanlan Pan and posted to the
IETF repository.

Name:     draft-pan-dnsop-ct-info-of-dns-resolver
Revision: 00
Title:    Certificate Transparency (CT) information of DNS resolver
Date:     2025-09-05
Group:    Individual Submission
Pages:    4
URL:      https://www.ietf.org/archive/id/draft-pan-dnsop-ct-info-of-dns-resolver-00.txt
Status:   https://datatracker.ietf.org/doc/draft-pan-dnsop-ct-info-of-dns-resolver/
HTMLized: https://datatracker.ietf.org/doc/html/draft-pan-dnsop-ct-info-of-dns-resolver


Abstract:

   This document describes the Certificate Transparency (CT) information
   of the DNS resolver.



The IETF Secretariat


_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to