[feature request] Use the public key address to verify server TLS certificate

[bodems]

This is not especially about the kadnode software itself, but for the "kadnode ecosystem". Using the public key as an address is a good first step to cryptographically secure DNS, but what happens after DNS? At the end you want to communicate with a server and it should be encrypted and authentificated. On the normal internet you have CAs who issue you a certificate for your domain, but this isn't possible for .p2p domains. A malicious actor could intercept the traffic after a successful DNS verification process and route the traffic to their own server. Of course you can import your own CA so you don't get a warning in your browser or your app, but this isn't a solution for normal users. So why not use the same key for verifying DNS and the TLS server certificate? Unfortunately this has to be implemented in every application you want to use with kadnode.

[mwarning]

Hi @bodems, nice to hear from you. :-)

Instead what could be done is to have a list in a config file of all domains that you want to resolve with KadNode (instead of *.p2p).
Then KadNode can intercept it and resolve it using the DHT to a bunch of IPs. Then it can be authenticated by KadNode using TLS (using global certificates) and if the IP checks out the IP will be passed back to the web browser.

That might work for web browsers.