Dirkjan Ochtman

Yes, although I think we should use explicit features bearing the exact name of the dependency.

@ctz should we keep the comment about these being auto-generated from ctz/tls-hacking or do we now maintain these here?

https://github.com/djc/sign-cert-remote/blob/main/src/main.rs contains example code setting up a private CA with rcgen. Might be useful to someone.

@japaric do you understand why the conformance tests are timing out here? Is it related to the contents of this PR?

Have a look at the [`RetryDnsHandle`](https://github.com/hickory-dns/hickory-dns/blob/main/crates/proto/src/xfer/retry_dns_handle.rs#L98) and the [logic](https://github.com/hickory-dns/hickory-dns/blob/main/crates/resolver/src/name_server/name_server_pool.rs#L257) for trying a request against a `NameServerPool`? (There's also some logic in the [`LookupFuture`](https://github.com/hickory-dns/hickory-dns/blob/main/crates/resolver/src/lookup.rs#L315).)

This failed CI on main: https://github.com/hickory-dns/hickory-dns/actions/runs/9777369448/job/26991905906#step:5:2056

Hmm... would this be better if we implemented the conformance tests in a different job? Or maybe can invert the "burden of change proof" so that only the conformance tests...

Yup, both of these seem like reasonable ideas. I won't be able to implement these but happy to review a short design proposal and/or a PR implementing these.

I'd like to get a review from @bluejekyll in. You can use this branch as the base branch for your next one?

Seems reasonable to try 0 after trying a few random ports -- chances seem good that remaining unused ports are sparsely scattered across the space. Can we reset to trying...