bemasc
commented
1 year ago I think it's the same thing in alias mode: check that the origin is accessible when using the new zone contents.
I think "ECH works" is a bit vague. We probably want an error if the zone would become unreachable, vs. a warning if ECH fallback mode is triggered.
sftcd
I think it's good that we say that the ZF should (or may) test that ECH works before publishing an HTTPS/SVCB RR for a name. In most cases, but maybe not all, that can be done by accessing the landing page for $ORIGIN and verifying that ECH worked and we got an HTTP 200 response (or maybe we'd also allow other HTTP response codes, e.g. a 40x?). But is there a better way to do/phrase that?
I'm also wondering what to verify if $ORIGIN says to use aliasMode - I guess the checking ECH works at the same URL (whatever that may be) for any ECHConfig is enough? (But worth pondering I guess....)