Re: Quic: the elephant in the room
Michael Thomas <mike@mtcc.com> Mon, 12 April 2021 15:38 UTC
Return-Path: <mike@fresheez.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD1693A22BC for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 08:38:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f1B3KJo7wU1M for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 08:38:01 -0700 (PDT)
Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F5003A22BB for <ietf@ietf.org>; Mon, 12 Apr 2021 08:38:01 -0700 (PDT)
Received: by mail-pg1-x531.google.com with SMTP id k8so9688779pgf.4 for <ietf@ietf.org>; Mon, 12 Apr 2021 08:38:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=2GbnhBxXw+rOF+JSaEbKwNZN+u7K048nuCeqF7LvIJk=; b=bp25UQGAOIMLP6dgNrXsYnwQgBdBZ1XDCtvVb59sBz5DcptKgmHqH5Pkayq53gEE6g P8J1JFqOuDLrUNjH1YjVGqw9QhSvsDn19f2g1aoq/IKSSZu5fXkL0QbRW4+6TCp8oLZh JKZPbzaU0vz3Yt23PdY1nYJ22suuPmKrjmraV6LqRNTrauA5CZsOM0yXmSdg4mypxVyo tOBHDB6h3NhnBnVgU9I0aovYY0hs0m0myUoaUZcE2qmmjIklJ8431bSG1ocYXpW8Qna+ LpfsyvbIksjTSDvhZxzQoS+MjqrqiWT8XqaY6B3Mi66+CJnY0bXMKtn/KkQDt3YSP3I+ BKJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=2GbnhBxXw+rOF+JSaEbKwNZN+u7K048nuCeqF7LvIJk=; b=B6OQe7kT9IeoR+luMQ+czCd11Y/wpx/BLcn5zz4ZV4DAB0gw+l2h4EpHYqHtadlnv8 uCc7/+pTL4Zijq8VLLIoF8gbnN6mCxEkunfSb8Z9J13+yGIg6D1DdORNt30M5aBdjao/ k8fpj7J6XzqccVAjyF+cGqn7cAqS+sl0ferEBwlEci5jiFpO9ZYwETNyVwbuiAMeKEGo f6lyJMc6AuNmOVYTlCHXVJRVSYtiUKGN6jnJcwD5yvaqyfglsFaD0z7eIdwwTCT0txTk HnNQuF39RLpjaJrNiT6YMo4cmAnyDajD4FBCvpGSHH4zHfuph47gjK2R75X2zPdcq97q 9dXg==
X-Gm-Message-State: AOAM533+TFdrssPLyVOwvao78EqoA61OphohaKLjO0WA1aBKV9yHVq1l 35ty7KlMEHNZHN1qDhnZ0pjQb8cZ9iyy0A==
X-Google-Smtp-Source: ABdhPJzg6jiDLelC99wYztTwNo6Wt/3bN+jF0q5HeWFX4Dxuu1r5coNIqM5smKShWN0oQHU5/6FDxg==
X-Received: by 2002:a63:5f0c:: with SMTP id t12mr27250904pgb.381.1618241879753; Mon, 12 Apr 2021 08:37:59 -0700 (PDT)
Received: from mike-mac.lan (107-182-38-56.volcanocom.com. [107.182.38.56]) by smtp.gmail.com with ESMTPSA id o11sm1945731pfu.188.2021.04.12.08.37.58 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 12 Apr 2021 08:37:59 -0700 (PDT)
Subject: Re: Quic: the elephant in the room
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: Andrew McConachie <andrew@depht.com>, "Salz, Rich" <rsalz@akamai.com>, IETF Discussion Mailing List <ietf@ietf.org>
References: <3b25c77d-e721-e86d-6c34-a90039aab0e2@mtcc.com> <CAMm+Lwhi8xwFgZJL7jod2g4urZt_f+dm0tNi+3y1osqOfch2mQ@mail.gmail.com> <3593a01f-73f4-7d03-a85b-dff64a8b070e@mtcc.com> <506A780B-9C0D-4F4A-B045-098F6152F4DB@akamai.com> <14cd802e-2a1b-97d4-c80d-b57f93e8cc21@mtcc.com> <E4374100-265E-4426-9F9A-AC437DA31D2B@depht.com> <15059e21-b7c2-4211-869e-df3ffdf7c34a@mtcc.com> <CAMm+LwgnoqXKNSKxt0-rDa8ze6J9LsZz0jVeogBXAWNDveC_ZQ@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <91ea341f-87dd-2760-82a8-db03a7616c59@mtcc.com>
Date: Mon, 12 Apr 2021 08:37:57 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <CAMm+LwgnoqXKNSKxt0-rDa8ze6J9LsZz0jVeogBXAWNDveC_ZQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------698B119B7F215A1D3CDD8BD0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/1jOe3cQGv2S0ABS9RIMtBTBuUKc>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 15:38:06 -0000
On 4/12/21 8:33 AM, Phillip Hallam-Baker wrote: > > > On Mon, Apr 12, 2021 at 11:22 AM Michael Thomas <mike@mtcc.com > <mailto:mike@mtcc.com>> wrote: > > > On 4/12/21 3:36 AM, Andrew McConachie wrote: > > > > > > When looking at how one might implement DANE for HTTPS/TLS I > don’t see > > any reason to handle these things sequentially. You don’t have to > > change TLS you just have to do things asynchronously. Query for > TLSA > > RRs at the same time as sending the TLS ClientHello, and kill the > > connection setup when/if DANE validation fails. On the off > chance that > > the DNS actually takes longer than TLS, maybe delay sending data > via > > TLS until DNS responds. But I bet this almost never happens. > > > Correct. Better: you can do the TLSA request at the same time as the > A/AAAA request speculatively. Plus if you've ever had a TLSA > record for > that domain, you know it's pretty likely you'll get a fresh one > even if > the last one is expired, so the speculation is minimal. > > > Or replace the DNS resolver protocol with a privacy protected one in > which a single request packet can be answered by multiple response > packets. This maintains the 'stateless' nature of DNS queries but > allows responses of 1-32 packets. > > Then introduce a new DNS query for 'tell me how to connect to protocol > X at name Y' > > Then a query to the responder can return the A record, the AAAA > record, the SRV record, any relevant TXT and TLSA records and the > entire cert chain for one particular host chosen by the responder. > I really have no desire to boil the ocean. My post was something that is actually achievable with existing protocols with and achievable by way of many browser vendors having the capability of implementing those protocols on their front and backends. That was its entire point: it's achievable in the here and now. Mike
- Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Stephane Bortzmeyer
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: DNS vs PKI, was Quic: the elephant in the room John Levine
- Re: DNS vs PKI, was Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room David Conrad
- Re: Quic: the elephant in the room David Conrad
- Re: Quic: the elephant in the room Viktor Dukhovni
- DNSSEC architecture vs reality (was: Re: Quic: th… Keith Moore
- Re: DNSSEC architecture vs reality (was: Re: Quic… Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: DNSSEC architecture vs reality (was: Re: Quic… Viktor Dukhovni
- Re: Quic: the elephant in the room Andrew McConachie
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: DNSSEC architecture vs reality Marco Davids
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Michael Thomas
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Phillip Hallam-Baker
- Re: Quic: the elephant in the room Nico Williams
- Re: Quic: the elephant in the room Salz, Rich
- Re: Quic: the elephant in the room Viktor Dukhovni
- Re: Quic: the elephant in the room Salz, Rich
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality John C Klensin
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality John C Klensin
- Re: DNSSEC architecture vs reality Keith Moore
- Re: DNSSEC architecture vs reality Michael Thomas
- Re: DNSSEC architecture vs reality Nico Williams
- Re: new RRTYPEs, was DNSSEC architecture vs reali… John Levine
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Mark Andrews
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: DNSSEC architecture vs reality Andrew McConachie
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: DNSSEC architecture vs reality Eliot Lear
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: DNSSEC architecture vs reality Patrik Fältström
- Re: new RRTYPEs, was DNSSEC architecture vs reali… John R Levine
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Nico Williams
- Re: DNSSEC architecture vs reality Jim Fenton
- Re: DNSSEC architecture vs reality Masataka Ohta
- Re: DNSSEC architecture vs reality Petite Abeille
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Nico Williams
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Donald Eastlake
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Viktor Dukhovni
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Vittorio Bertola
- Re: new RRTYPEs, was DNSSEC architecture vs reali… Phillip Hallam-Baker
- Re: Fwd: Quic: the Elephant in the Room Michael Thomas
- Fwd: Quic: the Elephant in the Room Lars Eggert
- RE: Fwd: Quic: the Elephant in the Room Vasilenko Eduard
- Re: Quic: the elephant in the room Ben Laurie
- Re: Quic: the elephant in the room Phillip Hallam-Baker