[8organicbits]

Great work! Public CAs have done a wonderful job making HTTPS easy for public websites, but private networks feel under-supported and we're often stuck with legacy tools. I'm really happy to see people building here.

I've been working on getlocalcert[1] which explores this problem from the other end; how can we make TLS certificate management and trust root distribution easier? There's lots of interest in using certificates issued by public CAs for private domains. Especially the free ones from Let's Encrypt. This completely avoids trust root distribution challenges and concerns about trust roots being used to MITM traffic. My local DNS management story is admittedly currently a hand-wave[2], but I really like your approach. I was hoping we could pair our tools, but I think mDNS is for .local only, so we won't be compatible.

I'm curious about the trust root you're using. Lots of tools will create these without any nameConstraints, which is reasonable as client-side support has historically been poor[3], but restricting the root and any intermediaries to *.local can reduce the risk that a stolen trust root is used to MITM unrelated sites like google.com.

[1] https://www.getlocalcert.net/

[2] https://docs.getlocalcert.net/dns/

[3] https://alexsci.com/blog/name-non-constraint/

[8organicbits]

Hmm, I may need to look at this some more. Avahi supports[1] changing the default domain, so I think you could in principal use mDNS for domains other than .local. But that's a config change, so it wouldn't have that out-of-the-box zero-config benefit.

[1] https://linux.die.net/man/5/avahi-daemon.conf