also, redirects (308, etc) are not permitted as per security standards of nip05. this is a simple dumb thing that tripped me up. clients are instructed not to follow redirects. that will yield a red herring CORS issue

also, if this well known json will rarely change, set cache control for aggressive dns/client caching. will save you 100-1000x bandwidth