Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-rescorla-tls-esni-00.txt]

Jan Včelák <jv@fcelda.cz> Thu, 19 July 2018 17:36 UTC

Return-Path: <jv@fcelda.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2A0F130EBC for <dnsop@ietfa.amsl.com>; Thu, 19 Jul 2018 10:36:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.022
X-Spam-Level:
X-Spam-Status: No, score=-1.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fcelda.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VR_WB3f2gUdJ for <dnsop@ietfa.amsl.com>; Thu, 19 Jul 2018 10:36:06 -0700 (PDT)
Received: from mail-ua0-x22b.google.com (mail-ua0-x22b.google.com [IPv6:2607:f8b0:400c:c08::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E787130EAF for <dnsop@ietf.org>; Thu, 19 Jul 2018 10:36:06 -0700 (PDT)
Received: by mail-ua0-x22b.google.com with SMTP id p22-v6so5733770uao.7 for <dnsop@ietf.org>; Thu, 19 Jul 2018 10:36:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fcelda.cz; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=z2QCaUTGVL46VbEpie1N6fQgZBrdqxgaOAPM9naeWW4=; b=T4UutfLrA6ey8Pw7uCVCmqgTdmlDtWljDFhyVSlNID/cP76qOtnZU/lRyFWe3UXfGS +Nzoc2YdRJLKb+safzBXAZD5/tXs2dkLx2t+PnHW7Msat0+Y8m+xNbG1vrgRNmWdf1hb mRUd89Ay6ajn24rlk3sCjRCTa9cCHezPnv85U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=z2QCaUTGVL46VbEpie1N6fQgZBrdqxgaOAPM9naeWW4=; b=gQfu5ahTrbDUcgblQ3OKMiconUTwLxMB5gfbHfmMjYWSRUbY1JamsjYTIncQFSa3wl RA9t9i+K6odzihc8nMArAzJQfH4NYYq363gTkSewOi37gyBZmVmz98Mwc4NMXqw30SXs IjitDAQKQL2u6kjPWpAe8qe99UsZOeVcRX8TcCDP+4Rz8asfTdqOX5fgi2JzKnhtNdQU a76YuvGMjiYizjO4NDavKeSvGMaesYIalCoRn+VJE7VVswHaZWoVKJvuN9ZaTv+j91XP RT8U7JBMV/ORSNp0sbBM2gxpBXUvipYN5Wa7C1ojEz8dCyXh6NYXqZPSI4XrXuvg90oh XaZA==
X-Gm-Message-State: AOUpUlFueaL09LpUpSfFNs+YFJQs9e0aY/M3cunXTgJQoL0nZuBaqmgh HP7rZ8MKgDz63QfXpoa+S4CXWtkevAs99v0X1Y1rSAgihvUkFQ==
X-Google-Smtp-Source: AAOMgpet1i53wXud9/xqbO8MfNZb2WKCOzPRPdga9441BsbypfWsavzTmj+NrioJJhy7zJo+rPe+hAxN23dFsuEr49s=
X-Received: by 2002:ab0:60ae:: with SMTP id f14-v6mr7282285uam.153.1532021765174; Thu, 19 Jul 2018 10:36:05 -0700 (PDT)
MIME-Version: 1.0
References: <20180707191900.7jjaxklib3tlixgb@nic.fr>
In-Reply-To: <20180707191900.7jjaxklib3tlixgb@nic.fr>
From: =?UTF-8?B?SmFuIFbEjWVsw6Fr?= <jv@fcelda.cz>
Date: Thu, 19 Jul 2018 13:36:19 -0400
Message-ID: <CAM1xaJ_jcMunvfuqqgoe-5hTSE1t=A4ELWF1j0SBsztoZ_1S=w@mail.gmail.com>
To: dnsop@ietf.org, draft-rescorla-tls-esni@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xXFEUEAkRIOeE4kYm-NeDWAJRhg>
Subject: Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-rescorla-tls-esni-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 17:36:10 -0000

Hey,

I just scanned the draft and focused mainly on the DNS bits. The
described method for publishing encryption keys for SNI in DNS won't
allow use of wildcard domain names.

Relevant text in the draft:

   The name of each TXT record MUST match the name composed of _esni and
   the query domain name.  That is, if a client queries example.com, the
   ESNI TXT Resource Record might be:

   _esni.example.com. 60S IN TXT "..." "..."

The reason is that _esni.*.example.com. doesn't work as a wildcard. If
you want wildcards to work, new dedicated DNS record type will be
needed. I think it should be fairly easy to get a new type allocated
as this doesn't require special DNS processing.

Cheers,

Jan

On Sat, Jul 7, 2018 at 3:19 PM Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
>
> I think that ESNI is a nice and simple idea to solve the privacy
> problems of the current TLS SNI. I forward the draft here because it
> uses DNS to publish keys, under a underscore prefix.
>
>
>
> ---------- Forwarded message ----------
> From: internet-drafts@ietf.org
> To: <i-d-announce@ietf.org>
> Cc:
> Bcc:
> Date: Mon, 02 Jul 2018 16:30:21 -0700
> Subject: I-D Action: draft-rescorla-tls-esni-00.txt
>
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>
>
>         Title           : Encrypted Server Name Indication for TLS 1.3
>         Authors         : Eric Rescorla
>                           Kazuho Oku
>                           Nick Sullivan
>                           Christopher A. Wood
>         Filename        : draft-rescorla-tls-esni-00.txt
>         Pages           : 19
>         Date            : 2018-07-02
>
> Abstract:
>    This document defines a simple mechanism for encrypting the Server
>    Name Indication for TLS 1.3.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-rescorla-tls-esni/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-rescorla-tls-esni-00
> https://datatracker.ietf.org/doc/html/draft-rescorla-tls-esni-00
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> I-D-Announce mailing list
> I-D-Announce@ietf.org
> https://www.ietf.org/mailman/listinfo/i-d-announce
> Internet-Draft directories: http://www.ietf.org/shadow.html
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop