Re: [DNSOP] Proposal for a new record type: SNI
"John Levine" <johnl@taugh.com> Fri, 17 February 2017 22:03 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1C1A129C1C for <dnsop@ietfa.amsl.com>; Fri, 17 Feb 2017 14:03:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UQHaEE1bxKBS for <dnsop@ietfa.amsl.com>; Fri, 17 Feb 2017 14:03:37 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A22CE129C0A for <dnsop@ietf.org>; Fri, 17 Feb 2017 14:03:32 -0800 (PST)
Received: (qmail 75574 invoked from network); 17 Feb 2017 22:03:31 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 17 Feb 2017 22:03:31 -0000
Date: Fri, 17 Feb 2017 22:03:09 -0000
Message-ID: <20170217220309.9637.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
In-Reply-To: <CAHbrMsA278usgFNzxhrsLS6_EfXPeMoAKN65ec0YhCW93oKNYg@mail.gmail.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/71G-5Gkuvv4tMkiLrgbFoUnIVio>
Subject: Re: [DNSOP] Proposal for a new record type: SNI
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2017 22:03:39 -0000
In article <CAHbrMsA278usgFNzxhrsLS6_EfXPeMoAKN65ec0YhCW93oKNYg@mail.gmail.com> you write: >I know this approach is controversial, so I'm also very curious to hear any >suggestions of other ways that we could fix this privacy leak without >slowing down everyone's connections. I have problems with the word "other". This approach depends for its security on the assumption that it is hard to reverse SNI record lookups, that is, to find the qname(s) that have SNI records with given contents. That is a poor assumption. There are many large passive DNS databases, and a lot of people have access to them. My working assumption is that anyone sophisticated enough to peek at TLS handshake packets is sophisticated enough to find a passive DNS source. So to me the question is whether the small speculative incremental increase in user security is worth the investment to define a new record type, add it to DNS servers and provisioning systems, add it to web server configuration languages, and set up whatever infrastructure is needed to coordinate the published SNI records and what the web servers expect. I'd also note that if the assumption is that people will publish SNI records through the usual registrar and dns hosting operators managed through web consoles, there is no chance that the webware will support SNI records. We know this because they don't support any other RRTYPEs defined in the past decade, either. R's, John
- [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI Robert Edmonds
- Re: [DNSOP] Proposal for a new record type: SNI Paul Wouters
- Re: [DNSOP] Proposal for a new record type: SNI Wessels, Duane
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI Robert Edmonds
- Re: [DNSOP] Proposal for a new record type: SNI John Levine
- Re: [DNSOP] Proposal for a new record type: SNI John Levine
- Re: [DNSOP] Proposal for a new record type: SNI Warren Kumari
- Re: [DNSOP] Proposal for a new record type: SNI Adrien de Croy
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI John Levine
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI John Levine
- Re: [DNSOP] Proposal for a new record type: SNI Erik Nygren
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI John R Levine
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI John R Levine
- Re: [DNSOP] Proposal for a new record type: SNI Tony Finch
- Re: [DNSOP] Proposal for a new record type: SNI Phillip Hallam-Baker
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI John Levine
- Re: [DNSOP] Proposal for a new record type: SNI Warren Kumari
- Re: [DNSOP] Proposal for a new record type: SNI John R Levine
- Re: [DNSOP] Proposal for a new record type: SNI Robert Edmonds
- Re: [DNSOP] Proposal for a new record type: SNI Phillip Hallam-Baker
- Re: [DNSOP] Proposal for a new record type: SNI John R Levine
- Re: [DNSOP] Proposal for a new record type: SNI Mark Andrews
- Re: [DNSOP] Proposal for a new record type: SNI Phillip Hallam-Baker
- Re: [DNSOP] Proposal for a new record type: SNI Mark Andrews