Re: [DNSOP] Proposal for a new record type: SNI

Warren Kumari <> Mon, 20 February 2017 23:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4E1C81293F8 for <>; Mon, 20 Feb 2017 15:24:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TRp99KFxKY_a for <>; Mon, 20 Feb 2017 15:24:36 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2356F127077 for <>; Mon, 20 Feb 2017 15:24:36 -0800 (PST)
Received: by with SMTP id u188so32788415qkc.2 for <>; Mon, 20 Feb 2017 15:24:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cv+jmdc9Thy714hhPhm2RnSpyZomfLuYIM/E8oJSBxk=; b=iLDyXZnthxIqty1RJFkH3agvFgHk8WEf0ws1jDiHbFN8C1TLPrcSUnRCW2koxCJpJn 7K0H45TPavjoCdbX/p5A1EWS6SgekVnAAi0+SyxkOC2KDI9ZEwPfCQ/ICVvjAHSTdYWz VST+OXaHGUZJxEs6kZ0cNumS48NGVKdSM3Vx9uIIYoZVY5YQmbdCigtcrtzis8b2VdV9 g4LGhwO264YzqNWmZt2bS43zTn5LMZUYG5hkUnlcSvWKnvreLbTtBc0xg2ChRdyOZXBZ o3UsF49GH+IZ3eRQHFmWAaDv1EplYL//h9ecx++BthRPmG8ianL/YJpbwUz+SiTfx7A/ tVvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cv+jmdc9Thy714hhPhm2RnSpyZomfLuYIM/E8oJSBxk=; b=sK/aFJZ2goIXXmCiD5HUKEmPvOGdOED0vZWV3mJLr54T2wcl4XRdpDresZGSSgoz8k riAn34eq0i5xzXZ2XqdL3eT8R206QBO1baMKf7JdCOTOTp8b9HV/02EF1ViIBCtHK3P8 EGg4L8W999+fTmKbcjcWJgj42ZJMhmGpaiG8gvnnLy/LAoZdFU2qMEU588STBRcwiDhf RAGT4T+kU0s3RmEvo1QofE8MlzF/TsR61sUYZCNrcX6pJD7SuzYPSjLgrUIbJ2TMDXiY IihH6LCz3YNDGC3wbPv+GwpHZl9cDUUX4kbdghmUKo0Bjwb8TnhQvsZG0KMcgrgGGyL2 PSqQ==
X-Gm-Message-State: AMke39lYo/xvxAcVqCmrUSAP6Rnk3kOj4GrU3Phvt13oZUmQkyI/EG2Mc71wmXR2Jkdt/xKpyv4j9xmzBt+yiQK8
X-Received: by with SMTP id t7mr20984836qkd.2.1487633075024; Mon, 20 Feb 2017 15:24:35 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 20 Feb 2017 15:24:04 -0800 (PST)
In-Reply-To: <20170220211925.1906.qmail@ary.lan>
References: <> <20170220211925.1906.qmail@ary.lan>
From: Warren Kumari <>
Date: Mon, 20 Feb 2017 18:24:04 -0500
Message-ID: <>
To: John Levine <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: Tony Finch <>, dnsop <>
Subject: Re: [DNSOP] Proposal for a new record type: SNI
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Feb 2017 23:24:38 -0000

On Mon, Feb 20, 2017 at 4:19 PM, John Levine <> wrote:
> In article <> you write:
>>Would it be easier or harder, instead of adding a new SNI RRtype, to use
>>DANE TLSA records to identify the server's cert or key, and use a
>>variation of TLS SNI to request the cert by digest instead of by name?
> I don't see how that would help.  Using passive DNS it's easy to find
> all the names that point to a server, which makes it easy to get all
> of the TLSA records for those names so the bad guy knows the hashes. ("The Official Juston Bieber Fan Club") is
hosted by Akamai on
According to DNSDB (IMO the best passive DNS service), there are 605
other sites *also* hosted on

No doubt pervasive monitors (and others) will use passive DNS systems
to build a map of SNI DNS RRs, but I'd much much rather have the men
in black thinking that I'm visiting,, or than knowing my
dirty little secret love of the Bieb...

Even more embarrassing is my love of Kylie Minogue -- [0]
I'd much rather have anyone watching my TLS connections think that I'm
a fan of, or one of the other
900+ sites on that IP address.

Yes, maps of $site -> SNI *will* be made, and will be used for
profiling -- but ...

"I read Playboy for the articles" only works if they have articles --
I only went to to read that, *not* to
try buy the new poster, you know, the one where he's hair is *sooo*


> R's,
> John
> _______________________________________________
> DNSOP mailing list

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.