TLS offloading with DOH
Apparently the https library we are using for DOH supports http. At least one user would like to be able to use a TLS proxy.
- certificate rotation - e.g. Apache or nginx proxy can use ACME to automate all the certificate dance
- client authentication - TLS client certs + augmenting HTTP headers with proxied-for information
- logging at HTTP level
- offload the TLS processing on a dedicated system to reduce the impact of TLS on the BIND server and to centralize the certificate mgmt
- Please test this to see if it works
- Please document that this is supported in the ARM