Re: [DNSOP] Proposal for a new record type: SNI

"John Levine" <johnl@taugh.com> Tue, 14 February 2017 22:14 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94BD81294F2 for <dnsop@ietfa.amsl.com>; Tue, 14 Feb 2017 14:14:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KdlE5FgwBg2d for <dnsop@ietfa.amsl.com>; Tue, 14 Feb 2017 14:14:55 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63576129454 for <dnsop@ietf.org>; Tue, 14 Feb 2017 14:14:55 -0800 (PST)
Received: (qmail 3856 invoked from network); 14 Feb 2017 22:14:54 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 14 Feb 2017 22:14:54 -0000
Date: 14 Feb 2017 22:14:32 -0000
Message-ID: <20170214221432.15487.qmail@ary.lan>
From: "John Levine" <johnl@taugh.com>
To: dnsop@ietf.org
In-Reply-To: <alpine.LRH.2.20.1702141415360.31528@bofh.nohats.ca>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8dcOUb85UA3-20aLaMb9pXP7aE0>
Cc: paul@nohats.ca
Subject: Re: [DNSOP] Proposal for a new record type: SNI
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2017 22:14:56 -0000

In article <alpine.LRH.2.20.1702141415360.31528@bofh.nohats.ca> you write:
>This seems like a bandaid to TLS that I think just needs
>fixing in the TLS protocol.

For once I agree with Paul.

If you're going to change the client anyway, why is this better than a
modified handshake that sets up the encrypted channel before sending
the SNI?  I realize this is not a great time to open up TLS, with the
dust from TLS 1.3 just settling, but there's never a good time for
some stuff.

You should assume that bad guys have access to passive DNS databases,
so it's not hard to reverse the indirection that SNI records provide.
If you used TXT records the reversal would be slightly harder, since
you'd have to pick them out from all the other cruft that's encoded
in _prefix TXT records.

R's,
John