Thank you for all your insight.

I have tested with one certificate that includes the separate dns64 domain as an alternative name, and it works fine.
It is simpler and just requires a unique certificate for dns64 and non dns64 for DoT and DoH.

So I will set that change in production first, and then I will be able to test version 6.x

--Bolemo

Le 31 mai 2024 à 20:36, Vladimír Čunát via knot-resolver-users <knot-resolver-users@lists.nic.cz> a écrit :

On 31/05/2024 19.00, oui.mages_0w@icloud.com wrote:
we have different TLS domains/certificates for dns64 and non dns64

Oh, OK.  Such a thing hasn't occurred to us, so it's not possible.  In that case I expect you'll need to stay on 5.x for now, with separate processes for dns64 and non-dns64 (but they can share the cache).  Overall I don't think the current code can support multiple certificates.


--