Re: [DNSOP] Proposal for a new record type: SNI

"John R Levine" <johnl@taugh.com> Sun, 19 February 2017 15:25 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC8B912949B for <dnsop@ietfa.amsl.com>; Sun, 19 Feb 2017 07:25:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=jS15+V54; dkim=pass (1536-bit key) header.d=taugh.com header.b=RSJHvWPj
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6kOMZOmoOUxt for <dnsop@ietfa.amsl.com>; Sun, 19 Feb 2017 07:25:01 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44AAC129466 for <dnsop@ietf.org>; Sun, 19 Feb 2017 07:25:01 -0800 (PST)
Received: (qmail 89024 invoked from network); 19 Feb 2017 15:25:00 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=15bbe.58a9b8cc.k1702; bh=NJAFofH1ZjmsuHVikW7E1jm9K38BzSC+Tqc9pmlaFKk=; b=jS15+V54khYqLIP02/lX78b0R8f2pxLJITT29DJZSCuDWi822Em+lyNPpD8uGSJrKRCsc6tVQkZJ3UDXutE67eSu8rLmAcCtQNx2TFmeFdz0jhN95olUKzpKMmrxGWH5z1sMcFXE0XCfK0rz5ePuoIQvu/CXyY/1xbui67xtnBLA6MQQ+A1k/23qHl1Y4ckuDkmuzlpA28yjKoGMPOHVwzsAA8nHchuhDzvYqRI3V1IgLfIk3ay+UO7rTDuwxWP4
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=15bbe.58a9b8cc.k1702; bh=NJAFofH1ZjmsuHVikW7E1jm9K38BzSC+Tqc9pmlaFKk=; b=RSJHvWPjWDby+yFul96O+OdHuJaKu6WnR242D3pM4+Y/hHyJMzrsMwzlnFgWGyufasCaDl81/f4Bru0Ny1tcBfdxjxGokkOHByzMjFqhrijihy6iy/qOB9BKdBrPf/c5YaBFqpANyrdDAI3UA46iz9dlKDb74p0mffQ0zteLqcTILbWqsoutMI2r4/RoFwAB6pX/7oTAcuUrWYPUbxlBM69Jh46Us4Gbuv37REmwHWtfgYOm6gqge82DcjDBDJC9
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 19 Feb 2017 15:25:00 -0000
Date: 19 Feb 2017 10:24:59 -0500
Message-ID: <alpine.OSX.2.20.1702182014260.99706@ary.qy>
From: "John R Levine" <johnl@taugh.com>
To: "Ben Schwartz" <bemasc@google.com>
In-Reply-To: <CAHbrMsApypey9WRvFMzAPupjmts-sdG9N=zuwtP=PZ1cxV=rvg@mail.gmail.com>
References: <CAHbrMsA278usgFNzxhrsLS6_EfXPeMoAKN65ec0YhCW93oKNYg@mail.gmail.com> <20170217220309.9637.qmail@ary.lan> <CAHbrMsAdgRU6g4E6wCCA0zs6p=yTU4VJE3UWzvsuU5JAtnxaWQ@mail.gmail.com> <alpine.OSX.2.20.1702172143530.94448@ary.qy> <CAHbrMsApypey9WRvFMzAPupjmts-sdG9N=zuwtP=PZ1cxV=rvg@mail.gmail.com>
User-Agent: Alpine 2.20 (OSX 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kqsx3grpo7o95nnzxkrsPoNmeus>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Proposal for a new record type: SNI
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Feb 2017 15:25:03 -0000

> The reason to allow non-empty RDATA is to support servers that serve
> multiple multi-domain certificates from a single IP address, dispatched by
> SNI.  This is common on CDNs and other large internet serving systems.

Oh, OK, that's helpful.

So the use case is a web server that serves a zillion domains, with the 
domains grouped into clusters that share a certificate.  For each cluster, 
you pick one of the names as the cover name, and the SNI points to that
name.  The cover name doesn't have to be in the DNS, but if it's not, that 
makes it stick out like a sore thumb.

Passive DNS on the server's IP address will reveal all of the server's 
names, and probes on those names to get the certs will reveal which names 
are in which cluster, so all SNI reveals is which names are the cover 
names.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly