Re: [DNSOP] [ I-D Action: draft-rescorla-tls-esni-00.txt]

Jan Včelák <> Thu, 19 July 2018 21:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 262BD130F76 for <>; Thu, 19 Jul 2018 14:15:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.022
X-Spam-Status: No, score=-1.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rIa_xixb2Ocw for <>; Thu, 19 Jul 2018 14:15:14 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c08::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8ECCA130F67 for <>; Thu, 19 Jul 2018 14:15:14 -0700 (PDT)
Received: by with SMTP id x24-v6so6147723ual.10 for <>; Thu, 19 Jul 2018 14:15:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GBwUyLxfARF0SWssK3xg1TuLDGuqkR8ye8rOUZpb1iY=; b=UCM2psnRVVnxdDFzAaVT+MpLeH+F5MtPNoaPgt/NHwOKPDfVks19WFyO8/+S1zRgOf csAZynoGZPyChFyeebjnf0lbBXD8yxyCinPlkftojLIRbCh6xF0ZgJ2P0rbYKy5+6O6K 1zz/JblvWU/IjWdnW+k0Jg7I+JFQQfQ3p51zE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GBwUyLxfARF0SWssK3xg1TuLDGuqkR8ye8rOUZpb1iY=; b=Bq2HIOtOzsq+s37IE+1DQQNPFLC0XXDXPIjQ1e80NUYQvZyyAapI99cad2MID/333/ 2H+Qh95C474IvsWLfCE3uEmCUgyQbaQWRpo/4T8Dcgk3VNAireTLvtlMdC8TzYXghFvs bL4qk1lsWvr1M8WwOLhhK3yTmTErTusUdRLrSK/K2aIC08t8Bni+gLWUkF8upL13tzRl ZUcEUcmBFZZgJGl7PCHMVG9wuBDHui/MaeqbPifnPFQUmFfU1N3RUWrd3k99LYe2s4c0 XIkjnovG05KPVBmDvXofDrm0LcA5HWcQUk1VwHEkbL90fFzep18bC3pdmOSYjB4lAj6A IyCQ==
X-Gm-Message-State: AOUpUlErvWnv1+aLlr4TiliOMQul8bz3iGbRP/RXhgtNjhaKDOclXwgD oE8ZRF+7sqgkK9I8W/v8pult7MCfRA2cKMiBYEqIPg==
X-Google-Smtp-Source: AAOMgpc4CsgZ60mJJytQzBtOwPU4XUr/4qZnJofaDnJ0mDV1/N0f1UIuSvNC8pKMfKIGlbjT/JEEstYu5u9SWOvHsr4=
X-Received: by 2002:ab0:1664:: with SMTP id l33-v6mr8367059uae.31.1532034913637; Thu, 19 Jul 2018 14:15:13 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <>
In-Reply-To: <>
From: =?UTF-8?B?SmFuIFbEjWVsw6Fr?= <>
Date: Thu, 19 Jul 2018 17:15:02 -0400
Message-ID: <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [DNSOP] [ I-D Action: draft-rescorla-tls-esni-00.txt]
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Jul 2018 21:15:17 -0000

On Thu, Jul 19, 2018 at 3:04 PM Kazuho Oku wrote:
> Background: In ESNI, we would like to support two types of
> deployments: 1) DNS and TLS servers operated by same entity, 2) DNS
> and TLS server operated by separate entities.

Let me sketch how this could work with custom DNS record type. Let's
call the new type ESNI. This is how the DNS records for CDN and our domain may look like:

cdn-provider.test. SOA ...
cust.cdn-provider.test. A
cust.cdn-provider.test. AAAA 2001:db8::cafe:100
cust.cdn-provider.test. ESNI "..." SOA ....
* CNAME cust.cdn-provider.test. CNAME somewhere-else.test. AAAA 2001:db8::beef:100 A AAAA 2001:db8::beef:200 ESNI "..."

I think this configuration should support all the deployments you mentioned:
- is configured explicitly.
- configuration is outsourced to some other
provider. We don't know if they provide A, AAAA, or ESNI.
- is configured explicitly with no ESNI.
- any other subdomain under is outsourced to
cust.cdn-provider.test which providers A, AAAA, and ESNI

> My understanding is that ANAME is coming, but that is for address
> records only. It cannot be used to delegate a specific type that you
> choose.

We all wish we had solution for this problem. At the moment, you can
use just CNAME which takes all. If you wanna configure subset of A,
AAAA, ESNI, you have to do that explicitly. Also, you cannot use CNAME
at zone apex (for