Re: [DNSOP] Proposal for a new record type: SNI
Warren Kumari <warren@kumari.net> Mon, 20 February 2017 23:24 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E1C81293F8 for <dnsop@ietfa.amsl.com>; Mon, 20 Feb 2017 15:24:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TRp99KFxKY_a for <dnsop@ietfa.amsl.com>; Mon, 20 Feb 2017 15:24:36 -0800 (PST)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2356F127077 for <dnsop@ietf.org>; Mon, 20 Feb 2017 15:24:36 -0800 (PST)
Received: by mail-qk0-x231.google.com with SMTP id u188so32788415qkc.2 for <dnsop@ietf.org>; Mon, 20 Feb 2017 15:24:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cv+jmdc9Thy714hhPhm2RnSpyZomfLuYIM/E8oJSBxk=; b=iLDyXZnthxIqty1RJFkH3agvFgHk8WEf0ws1jDiHbFN8C1TLPrcSUnRCW2koxCJpJn 7K0H45TPavjoCdbX/p5A1EWS6SgekVnAAi0+SyxkOC2KDI9ZEwPfCQ/ICVvjAHSTdYWz VST+OXaHGUZJxEs6kZ0cNumS48NGVKdSM3Vx9uIIYoZVY5YQmbdCigtcrtzis8b2VdV9 g4LGhwO264YzqNWmZt2bS43zTn5LMZUYG5hkUnlcSvWKnvreLbTtBc0xg2ChRdyOZXBZ o3UsF49GH+IZ3eRQHFmWAaDv1EplYL//h9ecx++BthRPmG8ianL/YJpbwUz+SiTfx7A/ tVvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cv+jmdc9Thy714hhPhm2RnSpyZomfLuYIM/E8oJSBxk=; b=sK/aFJZ2goIXXmCiD5HUKEmPvOGdOED0vZWV3mJLr54T2wcl4XRdpDresZGSSgoz8k riAn34eq0i5xzXZ2XqdL3eT8R206QBO1baMKf7JdCOTOTp8b9HV/02EF1ViIBCtHK3P8 EGg4L8W999+fTmKbcjcWJgj42ZJMhmGpaiG8gvnnLy/LAoZdFU2qMEU588STBRcwiDhf RAGT4T+kU0s3RmEvo1QofE8MlzF/TsR61sUYZCNrcX6pJD7SuzYPSjLgrUIbJ2TMDXiY IihH6LCz3YNDGC3wbPv+GwpHZl9cDUUX4kbdghmUKo0Bjwb8TnhQvsZG0KMcgrgGGyL2 PSqQ==
X-Gm-Message-State: AMke39lYo/xvxAcVqCmrUSAP6Rnk3kOj4GrU3Phvt13oZUmQkyI/EG2Mc71wmXR2Jkdt/xKpyv4j9xmzBt+yiQK8
X-Received: by 10.55.145.7 with SMTP id t7mr20984836qkd.2.1487633075024; Mon, 20 Feb 2017 15:24:35 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.169.4 with HTTP; Mon, 20 Feb 2017 15:24:04 -0800 (PST)
In-Reply-To: <20170220211925.1906.qmail@ary.lan>
References: <alpine.DEB.2.11.1702201458030.23970@grey.csi.cam.ac.uk> <20170220211925.1906.qmail@ary.lan>
From: Warren Kumari <warren@kumari.net>
Date: Mon, 20 Feb 2017 18:24:04 -0500
Message-ID: <CAHw9_i+3zDg5tTnPOstiGcH6RvjnAJgNKpkeHV=0-+mN7VNAxQ@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LLUCC5B-6kHxzjmOb3An_rlP1uk>
Cc: Tony Finch <dot@dotat.at>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Proposal for a new record type: SNI
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2017 23:24:38 -0000
On Mon, Feb 20, 2017 at 4:19 PM, John Levine <johnl@taugh.com> wrote: > In article <alpine.DEB.2.11.1702201458030.23970@grey.csi.cam.ac.uk> you write: >>Would it be easier or harder, instead of adding a new SNI RRtype, to use >>DANE TLSA records to identify the server's cert or key, and use a >>variation of TLS SNI to request the cert by digest instead of by name? > > I don't see how that would help. Using passive DNS it's easy to find > all the names that point to a server, which makes it easy to get all > of the TLSA records for those names so the bad guy knows the hashes. http://www.bieberfever.com/ ("The Official Juston Bieber Fan Club") is hosted by Akamai on 23.38.103.18. According to DNSDB (IMO the best passive DNS service), there are 605 other sites *also* hosted on 23.38.103.18. No doubt pervasive monitors (and others) will use passive DNS systems to build a map of SNI DNS RRs, but I'd much much rather have the men in black thinking that I'm visiting www.precisiondoor.net, www.theman.in, or www.worldsleadingcruiselines.com than knowing my dirty little secret love of the Bieb... Even more embarrassing is my love of Kylie Minogue -- 162.249.104.157 [0] I'd much rather have anyone watching my TLS connections think that I'm a fan of www.artofnoiseofficial.com, lilyallen.de or one of the other 900+ sites on that IP address. Yes, maps of $site -> SNI *will* be made, and will be used for profiling -- but ... "I read Playboy for the articles" only works if they have articles -- I only went to www.worldsleadingcruiselines.com to read that, *not* to try buy the new poster, you know, the one where he's hair is *sooo* dreamy... W > > R's, > John > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI Robert Edmonds
- Re: [DNSOP] Proposal for a new record type: SNI Paul Wouters
- Re: [DNSOP] Proposal for a new record type: SNI Wessels, Duane
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI Robert Edmonds
- Re: [DNSOP] Proposal for a new record type: SNI John Levine
- Re: [DNSOP] Proposal for a new record type: SNI John Levine
- Re: [DNSOP] Proposal for a new record type: SNI Warren Kumari
- Re: [DNSOP] Proposal for a new record type: SNI Adrien de Croy
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI John Levine
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI John Levine
- Re: [DNSOP] Proposal for a new record type: SNI Erik Nygren
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI John R Levine
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI John R Levine
- Re: [DNSOP] Proposal for a new record type: SNI Tony Finch
- Re: [DNSOP] Proposal for a new record type: SNI Phillip Hallam-Baker
- Re: [DNSOP] Proposal for a new record type: SNI Ben Schwartz
- Re: [DNSOP] Proposal for a new record type: SNI John Levine
- Re: [DNSOP] Proposal for a new record type: SNI Warren Kumari
- Re: [DNSOP] Proposal for a new record type: SNI John R Levine
- Re: [DNSOP] Proposal for a new record type: SNI Robert Edmonds
- Re: [DNSOP] Proposal for a new record type: SNI Phillip Hallam-Baker
- Re: [DNSOP] Proposal for a new record type: SNI John R Levine
- Re: [DNSOP] Proposal for a new record type: SNI Mark Andrews
- Re: [DNSOP] Proposal for a new record type: SNI Phillip Hallam-Baker
- Re: [DNSOP] Proposal for a new record type: SNI Mark Andrews