Re: [DNSOP] Proposal for a new record type: SNI

"John R Levine" <johnl@taugh.com> Sat, 18 February 2017 02:47 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06C9B1293E3 for <dnsop@ietfa.amsl.com>; Fri, 17 Feb 2017 18:47:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=cqs0NYso; dkim=pass (1536-bit key) header.d=taugh.com header.b=TyAIJKJL
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IxRXwUFqpehD for <dnsop@ietfa.amsl.com>; Fri, 17 Feb 2017 18:47:32 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5073E1289B0 for <dnsop@ietf.org>; Fri, 17 Feb 2017 18:47:32 -0800 (PST)
Received: (qmail 9144 invoked from network); 18 Feb 2017 02:47:31 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=23b5.58a7b5c3.k1702; bh=SOqwric9nghHSa66e9ffdTZkekGhQWEcwwTFMEfgcBo=; b=cqs0NYsoMo0ui/05dNr8XCQC5UJ9nbaR0pvSfjBmRsbWtcO1JL7AO5xTQ/Y4Lf1KpFI5bVtTv835xGPYHiucMo59sg7eI2sYcn/Iw5dtdLNwzUYv8GO7eN/90Zo0C86csMxC5nepSEy16QvJHr2AE6igpuwHyAlCC7JuDVDW27eDNC4m0lyBQZCuw4bdUlD9C7CGI6zeiY4vp9CMUgQqu+BWlWklTqLdihdlwcAgBTArekIDK/3hjpD9OJ2slTGV
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=23b5.58a7b5c3.k1702; bh=SOqwric9nghHSa66e9ffdTZkekGhQWEcwwTFMEfgcBo=; b=TyAIJKJL1JYVsNbp370Ua+vvUKrSzIXx1TlgZFD5r/nDqgzqlsLbwZqhXD3x/h02toAommLzy7XkDfl32WKVunF8KAtOAFZSZjX14iJTFZlf6nwiXH/IS6kCNY44q6H8ZM5YCS5dGzb1NVDqu67vFxyvQy2Af1nqPz4NdjpYItk1TAGU7lyZqH/l00KJ5qMqbcodCg4YJJEDVALrxmIPBsOPUu3fkWeKW4GnPyZqHfyn+6eCFU8M36MghVlByUCe
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 18 Feb 2017 02:47:31 -0000
Date: 17 Feb 2017 21:47:30 -0500
Message-ID: <alpine.OSX.2.20.1702172143530.94448@ary.qy>
From: "John R Levine" <johnl@taugh.com>
To: "Ben Schwartz" <bemasc@google.com>
In-Reply-To: <CAHbrMsAdgRU6g4E6wCCA0zs6p=yTU4VJE3UWzvsuU5JAtnxaWQ@mail.gmail.com>
References: <CAHbrMsA278usgFNzxhrsLS6_EfXPeMoAKN65ec0YhCW93oKNYg@mail.gmail.com> <20170217220309.9637.qmail@ary.lan> <CAHbrMsAdgRU6g4E6wCCA0zs6p=yTU4VJE3UWzvsuU5JAtnxaWQ@mail.gmail.com>
User-Agent: Alpine 2.20 (OSX 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WbPsItL96i_BUhuKuRqybRBITq0>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Proposal for a new record type: SNI
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2017 02:47:34 -0000

> 1. Multiple domains on the same host set the same SNI record.  Possession
> of a global DNS database is no help to the adversary.  The adversary still
> cannot distinguish the domains.  This is the intended use.

Now I'm really confused.  If the SNI value is just a cover name, and the 
client's going to send the real name later, why not just pick a fixed 
impossible cover name like SNI.INVALID and skip the SNI lookup?

Presumably if this became at all popular, everyone will send SNI.INVALID 
so it wouldn't leak anything interesting.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly