Goal

• As a user of DNS over TLS, I want to authenticate client to named.service by mutual client TLS authentication
  • Could authenticate each machine with its own private key, managed in FreeIPA for example.
  • Each such client cert would need some way to map its certificate to domain name with KEY
  • Similar ACL exists for SIG0 authentication style. Described in: https://jpmens.net/2010/12/01/securing-dynamic-dns-updates-ddns-with-sig0/
  • This would be more efficient than per-message TSIG kerberos or shared secret signature. More efficient than SIG0 messages also. But requires DNS over TLS usage. We need that for Zero Trust servers anyway.

Acceptance criteria

A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

• Verify client can use own certificate and private key for it
• Verify server can recognize that client and can specify the client in ACL
• Verify such client can be allowed to update a record by update-policy or allow-update statement
• Verify such client can be assigned non-default view based on his client identification.