TLS offloading with DOH
Apparently the https library we are using for DOH supports http. At least one user would like to be able to use a TLS proxy.
some reasons:
- certificate rotation - e.g. Apache or nginx proxy can use ACME to automate all the certificate dance
- client authentication - TLS client certs + augmenting HTTP headers with proxied-for information
- logging at HTTP level
- offload the TLS processing on a dedicated system to reduce the impact of TLS on the BIND server and to centralize the certificate mgmt
-
Please test this to see if it works -
Please document that this is supported in the ARM
ref: https://support.isc.org/Ticket/ModifyLinks.html?id=16797