Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-rescorla-tls-esni-00.txt]

"John Levine" <johnl@taugh.com> Thu, 19 July 2018 20:56 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 576D8130E30 for <dnsop@ietfa.amsl.com>; Thu, 19 Jul 2018 13:56:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.751
X-Spam-Level:
X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=OFQKv6wH; dkim=pass (1536-bit key) header.d=taugh.com header.b=YVqFHRVC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgCwuL7hekwO for <dnsop@ietfa.amsl.com>; Thu, 19 Jul 2018 13:56:25 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B42B7130E08 for <dnsop@ietf.org>; Thu, 19 Jul 2018 13:56:24 -0700 (PDT)
Received: (qmail 3871 invoked from network); 19 Jul 2018 20:56:23 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=f1a.5b50faf7.k1807; bh=43aUBDWrnvbHj2JQ3HhOzumsaFhy6y0dpGMkTm4O4GQ=; b=OFQKv6wHdLAou4cE2sSQ2r1gNf+X9vY1v6VyOCrfbKrj9EmEZv42a24DJjvN5mHv/sb66SiR9iNVPahw+ukGs5Ob89+xPzoNYLu1/r/j8AfDA0aeNdUrSqrZmR498gKuTi0/ZXmt+nKXBP4h5LVouG+5JXCYI50lctV1Qq4hPwVKn7CBNaOIxH2uG89JsegBeHth1y3Z720j5+y03WLxT3HT7+z2IWEsuUpW9OFytkO1yFbl/tHRVzXPld9C06CH
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=f1a.5b50faf7.k1807; bh=43aUBDWrnvbHj2JQ3HhOzumsaFhy6y0dpGMkTm4O4GQ=; b=YVqFHRVCZpwQlthP6jfjzCIH0YciL+ZyFcvhzp9egMUsQsVDiAYGmaYGd2pkJ19OJr2Pt3qyMAOO+FqmRapqE7AUdbVt9ZVSLiB3i6RxZbXWnbZ3nzT02P4J6GtteonGzoD7w1S9NNym/XKOrvrYxoNzef20GGFZgiLuaZPK65PaT2O20xy4e5kv2C6gKtKOwBWl9AhyanCOvmsjmSNhJeMQTNoI/mpUfAfA6pq+7arythQe5Mmi0LlhjhDoq0PI
Received: from dhcp-85af.meeting.ietf.org ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 19 Jul 2018 20:56:23 -0000
Received: by dhcp-85af.meeting.ietf.org (Postfix, from userid 501) id 5CFD420027FDA7; Thu, 19 Jul 2018 16:56:22 -0400 (EDT)
Date: 19 Jul 2018 16:56:22 -0400
Message-Id: <20180719205623.5CFD420027FDA7@dhcp-85af.meeting.ietf.org>
From: "John Levine" <johnl@taugh.com>
To: dnsop@ietf.org
Cc: jv@fcelda.cz
In-Reply-To: <CAM1xaJ_jcMunvfuqqgoe-5hTSE1t=A4ELWF1j0SBsztoZ_1S=w@mail.gmail.com>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bEPjzkzCqdQlHUIr-BMJ_-gGQHU>
Subject: Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-rescorla-tls-esni-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 20:56:28 -0000

In article <CAM1xaJ_jcMunvfuqqgoe-5hTSE1t=A4ELWF1j0SBsztoZ_1S=w@mail.gmail.com> you write:
>I just scanned the draft and focused mainly on the DNS bits. The
>described method for publishing encryption keys for SNI in DNS won't
>allow use of wildcard domain names.

Yes, that is a very well known fact about _prefix names in the DNS.

If you want wildcards to work, use a new rrtype, e.g., instead of this:

>   _esni.example.com. 60S IN TXT "..." "..."

do this:

   example.com. 60S IN ESNI 983989D92330EA840...

It can use base64 encoded text but it might as well just put the
ESNIKeys structure literally in the record, represented in the master
file in hex string, like the certificate stored in a TLSA record.

It's harder to deploy a new rrtype than an overloaded TXT record, but
you can't have everything.

-- 
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly