Re: [DNSOP] Proposal for a new record type: SNI

Tony Finch <dot@dotat.at> Mon, 20 February 2017 15:00 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B9EF1294D2 for <dnsop@ietfa.amsl.com>; Mon, 20 Feb 2017 07:00:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BcMxyFFHHFW1 for <dnsop@ietfa.amsl.com>; Mon, 20 Feb 2017 07:00:28 -0800 (PST)
Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [131.111.8.133]) by ietfa.amsl.com (Postfix) with ESMTP id 8FF95129405 for <dnsop@ietf.org>; Mon, 20 Feb 2017 07:00:28 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:41080) by ppsw-33.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.137]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1cfpRz-000TGX-iW (Exim 4.88) (return-path <dot@dotat.at>); Mon, 20 Feb 2017 15:00:28 +0000
Date: Mon, 20 Feb 2017 15:00:27 +0000
From: Tony Finch <dot@dotat.at>
To: Ben Schwartz <bemasc@google.com>
In-Reply-To: <alpine.OSX.2.20.1702182014260.99706@ary.qy>
Message-ID: <alpine.DEB.2.11.1702201458030.23970@grey.csi.cam.ac.uk>
References: <CAHbrMsA278usgFNzxhrsLS6_EfXPeMoAKN65ec0YhCW93oKNYg@mail.gmail.com> <20170217220309.9637.qmail@ary.lan> <CAHbrMsAdgRU6g4E6wCCA0zs6p=yTU4VJE3UWzvsuU5JAtnxaWQ@mail.gmail.com> <alpine.OSX.2.20.1702172143530.94448@ary.qy> <CAHbrMsApypey9WRvFMzAPupjmts-sdG9N=zuwtP=PZ1cxV=rvg@mail.gmail.com> <alpine.OSX.2.20.1702182014260.99706@ary.qy>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fbiKctl6D7LlHop8HISWfSATkfk>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Proposal for a new record type: SNI
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2017 15:00:30 -0000

Would it be easier or harder, instead of adding a new SNI RRtype, to use
DANE TLSA records to identify the server's cert or key, and use a
variation of TLS SNI to request the cert by digest instead of by name?

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Hebrides, Bailey: West backing southwest 6 to gale 8. Rough or very rough,
becoming high later in west Bailey. Showers, then rain later. Good,
occasionally poor.