This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients christian.heimes, eighthave
Date 2021-10-22.10:41:35
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Thanks for filing this feature request!

The DNS lookup part is out of scope for the ssl module. I don't want to get into the DNS business. At $WORK I work on BIND, DNSSEC and DNS over TLS. Secure DNS (and DNS in general) is already complicated when you control the entire stack and only have to deal with one family of Linux distros. AFAIK there isn't even a platform-independent way to perform lookups with abitrary RRTYPEs. res_nquery() is only available on some platforms and doesn't work reliable with some libcs. I have had issues with EDNS0 on musl in the past. KRB5KDC SRV looks with large responses where unreliable. Let's offload the DNS part of consumers of the ssl module. They can use python-dns or c-ares.

The ECH part and callback look sensible, though. I'll include the APIs as soon as OpenSSL support them.
Date User Action Args
2021-10-22 10:41:35christian.heimessetrecipients: + christian.heimes, eighthave
2021-10-22 10:41:35christian.heimessetmessageid: <>
2021-10-22 10:41:35christian.heimeslinkissue45567 messages
2021-10-22 10:41:35christian.heimescreate