Re: [DNSOP] Proposal for a new record type: SNI

Robert Edmonds <edmonds@mycre.ws> Tue, 14 February 2017 19:16 UTC

Return-Path: <edmonds@mycre.ws>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 062FC129771 for <dnsop@ietfa.amsl.com>; Tue, 14 Feb 2017 11:16:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYRcZASiJxhK for <dnsop@ietfa.amsl.com>; Tue, 14 Feb 2017 11:16:16 -0800 (PST)
Received: from mycre.ws (mycre.ws [45.33.102.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AE3B12971B for <dnsop@ietf.org>; Tue, 14 Feb 2017 11:16:16 -0800 (PST)
Received: by chase.mycre.ws (Postfix, from userid 1000) id 3923C12C159E; Tue, 14 Feb 2017 14:16:15 -0500 (EST)
Date: Tue, 14 Feb 2017 14:16:15 -0500
From: Robert Edmonds <edmonds@mycre.ws>
To: Ben Schwartz <bemasc@google.com>
Message-ID: <20170214191615.rwawyluf6nf4lfnm@mycre.ws>
References: <CAHbrMsAJ5JRtdjZRkCq4qC3dS_Fx96WBu8DPnJ1sSf=9HErKrw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHbrMsAJ5JRtdjZRkCq4qC3dS_Fx96WBu8DPnJ1sSf=9HErKrw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ArPKf91IboTTD4JWJy1sGxd0Pww>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Proposal for a new record type: SNI
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2017 19:16:18 -0000

Ben Schwartz wrote:
> Hi dnsop,
> 
> I've written a draft proposal to improve the privacy of TLS connections, by
> letting servers use the DNS to tell clients what SNI to send.
> 
> https://tools.ietf.org/html/draft-schwartz-dns-sni-01
> 
> I've incorporated some helpful feedback [1] from the TLS WG, but now I
> could use your help analyzing the DNS side. All comments welcome; this
> draft will change based on your feedback.
> 
> One particular issue that I could use advice on: should this be a new
> record type, or should it reuse/repurpose an existing type like SRV or PTR?
> 
> Thanks,
> Ben
> 
> [1] https://www.ietf.org/mail-archive/web/tls/current/msg22353.html

Hi, Ben:

I'm kind of curious: your examples are pretty HTTP-centric, and HTTP
already has some pretty strong features for origins to persistently
modify how clients perform TLS, i.e., HTTP Strict Transport Security and
HTTP Public Key Pinning, along with preloading of those settings by the
browser vendors. Why not follow that same model for the functionality in
your draft?

-- 
Robert Edmonds