On Mon, 1 Jul 2019, Michael Casadevall wrote:
As for DoT/DoH, none of the above changes as there are no wire protocol changes to DNS in either of these use cases, and the cost of implementation is stupidly high. First off, it's impossible to deploy DoT/DoH in an internal network that uses RFC1918 address space (aka 10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16) as CA/B forum CAs can't issue certificates for this address space;
what prevents you from requesting a certificate on an internet connect IP using ACME, and then moving or also using it on the internal IP pointed to by internal only split DNS ?
Device manufactors also need to update their devices to update their root store from time to time.
I guess it really depends on your definition of IoT.
It should also be noted that the current Mozilla NSS root store is approximately 250 KiB in size uncompressed.
Why would an IoT device need the whole firefox or other vendor root CA store? Again, it really depends on what you call an IoT device.
There are major issues with DoH/DoT in general, but a lot of devices in general are going to simply incapable of supporting it because the cost of full TLS support + full set of CA root certificates is simply too high in terms of flash storage.
Maybe IoT devices shouldn't need to talk to the internet at large? And their trust model can be minimzed to the little things it needs? Paul