HTTPS with mDNS

Question

I've been looking into using mDNS for service discovery from a JavaScript application. The basic idea is making an AJAX request to exampleservice.local and having that return JSON with relevant information.

As the application is loaded over HTTPS, any AJAX requests must also be made using HTTPS (to avoid non-secure content warnings etc). However, from November 2015, it will not be possible to get a Trusted CA issued certificate for .local domains.

Given the new restriction above, is there any way to use HTTPS with mDNS that doesn't involve having the user trust self signed certificates?

Answer 1

mDNS is for names local to the network. Globally issued certificates are for names on the internet and can not be used for local names, because there contrary to a globally unique name on the internet local names can be the same in different local networks and thus there is no real owner of the name which can claim a global certificate for it.

This means that you can not use the global trust settings (i.e. root CA) available in the browser, but must instead add local trust settings. This can be done by having your own local root CA and trust it within all browsers on the local network or by using self-signed certificates which need to be explicitly trusted by each user.

Apart from that just imagine that other developers have the same kind of idea. This would mean that there will be several independent certificates for the same local names, because they are all inside different local networks. So using mDNS names together with https will only make sense in local installation without any kind of mobile clients.