Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-rescorla-tls-esni-00.txt]

Patrick McManus <pmcmanus@mozilla.com> Thu, 19 July 2018 19:07 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5DBC130E8B; Thu, 19 Jul 2018 12:07:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15WcFOs08QWF; Thu, 19 Jul 2018 12:07:27 -0700 (PDT)
Received: from linode64.ducksong.com (linode6only.ducksong.com [IPv6:2600:3c02::f03c:91ff:fe6e:e8da]) by ietfa.amsl.com (Postfix) with ESMTP id C6DAC130DC6; Thu, 19 Jul 2018 12:07:27 -0700 (PDT)
Received: from mail-oi0-f50.google.com (mail-oi0-f50.google.com [209.85.218.50]) by linode64.ducksong.com (Postfix) with ESMTPSA id BC1C03A04B; Thu, 19 Jul 2018 15:07:26 -0400 (EDT)
Received: by mail-oi0-f50.google.com with SMTP id v8-v6so16963241oie.5; Thu, 19 Jul 2018 12:07:26 -0700 (PDT)
X-Gm-Message-State: AOUpUlEB2r1Ttggwr4yFjMOwij6mdDEw39L9ALhBKIkL3u/9Z0SuTyv6 Kh3M3/nwzA1QiQ7immLvs9nhEURQlaprlrrdz4o=
X-Google-Smtp-Source: AAOMgpcwuS6BelOWTJ+BDS16MqAlvi236mcMM9t2hPKYvTWzpnrMmryJ77XaQXTZbHA4lm+BsWHhPLnzKMoUmjeGoCQ=
X-Received: by 2002:aca:d04b:: with SMTP id h72-v6mr10069943oig.17.1532027246455; Thu, 19 Jul 2018 12:07:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4a:8a22:0:0:0:0:0 with HTTP; Thu, 19 Jul 2018 12:07:25 -0700 (PDT)
In-Reply-To: <CAM1xaJ8nsqreqBz7f2fG_HOaB6dc5JOS_S9Oxj5pyiOaPiyvsA@mail.gmail.com>
References: <20180707191900.7jjaxklib3tlixgb@nic.fr> <CAM1xaJ_jcMunvfuqqgoe-5hTSE1t=A4ELWF1j0SBsztoZ_1S=w@mail.gmail.com> <CAOdDvNpWs3_+c3=pdYjxm+UrEfBUawcTKXY4ks0VbuGSts+q7Q@mail.gmail.com> <CADyWQ+HwNsvgs0BnQ3NqnEob6xZrcbmk_qVOX58UCW4rFrmahg@mail.gmail.com> <CAOdDvNq65kGho6oCX=mMw+qebHOqzJq6qJ7kAWdO53wAKeyj2A@mail.gmail.com> <CAM1xaJ8nsqreqBz7f2fG_HOaB6dc5JOS_S9Oxj5pyiOaPiyvsA@mail.gmail.com>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Thu, 19 Jul 2018 15:07:25 -0400
X-Gmail-Original-Message-ID: <CAOdDvNrMrz0Vx74xued7MrSR1jx5RpBmn1TsWcp-rOmg2H3J8w@mail.gmail.com>
Message-ID: <CAOdDvNrMrz0Vx74xued7MrSR1jx5RpBmn1TsWcp-rOmg2H3J8w@mail.gmail.com>
To: =?UTF-8?B?SmFuIFbEjWVsw6Fr?= <jv@fcelda.cz>
Cc: Patrick McManus <pmcmanus@mozilla.com>, tjw ietf <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, draft-rescorla-tls-esni@ietf.org
Content-Type: multipart/alternative; boundary="000000000000cfb57d05715ee3be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FmeYuzlYSD6KGWDOr-P4YlWNKSs>
Subject: Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-rescorla-tls-esni-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 19:07:31 -0000

Hi Jan,

On Thu, Jul 19, 2018 at 2:48 PM, Jan Včelák <jv@fcelda.cz> wrote:

> Patrick, I believe my understanding of the SNI consumer side is the
> same. I'm talking about inability to use DNS wildcard on SNI producer
> side:
>
> Let's say I get domain example.com and wildcard certificate
> *.example.com. I want to run a couple of services on the subdomains of
>

the esni keys are completely independent of the associated certificates.
Indeed it is anticipated that the same set of esni keys would cover many
different parties and certificates that only share a TLS termination point
in common. (i.e. the esni keys don't encrypt or authenticate https, they
just encrypt the SNI field). so for clarity we should probably move on from
certificate properties.

nonetheless, it is indeed the point of ESNI that the same TXT (or perhaps
ESNI RR-type) content applies to multiple domains - that's what forms the
anonymity pool.


> example.com and I want to use ESNI. If a TLS client want's to connect
> for instance to www.example.com, it will resolve www.example.com
> A/AAAA record to get server IP and _esni.www.example.com TXT to get
> the key to encrypt SNI. Is that right or did I miss something about
> your draft?
>
>
sounds right


> If the above true, then my objection is that I cannot use DNS wildcard
> for _esni record and I will have to create explicit one for each
> subdomain (service) on example.com. Another annoying thing is that
> existence of _esni.www.example.com TXT record will prevent expansion
> of *.example.com A/AAAA for www.example.com. The solution would be to
> request new DNS RR type for ESNI which could be used with
> *.example.com DNS name.
>
>
got it (and as I hinted above, the RRTYPE is an open issue in the bug
tracker - I think there's significant support for making the change though
this is the first I've heard this argument, so I'll add it to the list.
thanks).

Am I correct in saying that what you're getting at is not so much a wire
issue as a convention among configuration and implementations? i.e.
wildcards are synthesized - they aren't actually sent as responses that
clients use in some kind of short-cut kind of way?

Thanks for the help.





> Jan
> On Thu, Jul 19, 2018 at 2:27 PM Patrick McManus <pmcmanus@mozilla.com>
> wrote:
> >
> > the tls server side (aka the cert side) can definitely use a wildcard
> (or a list of explicit names, or a mix of both!) But that's the SNI
> consumer. The draft is about the SNI producer which does not use wildcards.
> >
> > e.g. the ESNI work is about what is put in the TLS client handshake
> (historically the SNI and according this draft a new extension carrying the
> encrypted SNI) - and that is always an explicit name. And that's also the
> subject of the DNS query in order to obtain the keys. The DNS query and SNI
> leak similar amounts of information (although perhaps to different
> parties), so an encrypted DoT or DoH is an important part of the system.
> >
> >
> > On Thu, Jul 19, 2018 at 1:53 PM, Tim Wicinski <tjw.ietf@gmail.com>
> wrote:
> >>
> >> Patrick
> >>
> >> Can I go and order a SSL Cert with a standard name and a wildcard name
> for SNI?  We do that now.
> >>
> >> So, I think Jan is onto something.
> >>
> >>
> >> On Thu, Jul 19, 2018 at 1:47 PM, Patrick McManus <pmcmanus@mozilla.com>
> wrote:
> >>>
> >>>
> >>> On Thu, Jul 19, 2018 at 1:36 PM, Jan Včelák <jv@fcelda.cz> wrote:
> >>>>
> >>>> Hey,
> >>>>
> >>>> I just scanned the draft and focused mainly on the DNS bits. The
> >>>> described method for publishing encryption keys for SNI in DNS won't
> >>>> allow use of wildcard domain names.
> >>>>
> >>>
> >>> Thanks!
> >>>
> >>> I believe the draft is OK on this point because wildcards aren't
> needed. While certificates can be valid for wildcard domains, the SNI is
> always a specific hostname (and the plaintext hostname informs the DNS
> question)
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> DNSOP mailing list
> >>> DNSOP@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/dnsop
> >>>
> >>
> >
>