Re: Quic: the elephant in the room

Phillip Hallam-Baker <> Mon, 12 April 2021 15:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DD8673A228D for <>; Mon, 12 Apr 2021 08:33:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BHm_G-XpYpXY for <>; Mon, 12 Apr 2021 08:33:52 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 206CD3A230C for <>; Mon, 12 Apr 2021 08:33:40 -0700 (PDT)
Received: by with SMTP id o5so14351109qkb.0 for <>; Mon, 12 Apr 2021 08:33:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rS2PwpRKqPBaJbjTxrZ+NhZFFqstFERYGAMi43TdkWY=; b=IDnxYlyeygLfwl4Z7EwUk4pozgR/t8sJ8dHcHlPFiiRCebdx7JVle/aFUNd2sT1sUl ZY8JeIVxMawhbpQ8IOiGXGurIAnNZWi49u9hIBFGElaqGx98s/riyD/OWWreqFuWpy06 gFu5mdwgq/wAV0SFfPVnt7pL1B60AH/6oa3bgg44dDy3A9gxbWO41haTirYy2Lr/n4wy t7+6XAQ6Um2+zjCeQOYuqiu6lpY20wrWNiWgN+lPo0L7ZfxFykgud1x7Q+i0EAkyeQ3G 6MreQ56y6gu5sKn0bf9l/ZjE3U0F1MK/oGjsoOXWhgkilPbgTv9h1IY5UNyP3uU7isF6 SBSQ==
X-Gm-Message-State: AOAM532rLC7GWV8dMftL15U1N52MSqkdHKojNW+hqTIOVq4MLqHMgTGm UGG0tdq8WwIeHA3+Ym/m8THSGzLjmZ4B4eCjmaE=
X-Google-Smtp-Source: ABdhPJzV4b/9psd+h2GeCKPHBaH+TomOiSVIyWHznV2HHj41puK7VuXZaldRf2Vr3EXqWakUB9XLpf3U6ohpUUMz3g0=
X-Received: by 2002:a5b:d41:: with SMTP id f1mr40781345ybr.523.1618241619908; Mon, 12 Apr 2021 08:33:39 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <>
In-Reply-To: <>
From: Phillip Hallam-Baker <>
Date: Mon, 12 Apr 2021 11:33:29 -0400
Message-ID: <>
Subject: Re: Quic: the elephant in the room
To: Michael Thomas <>
Cc: Andrew McConachie <>, "Salz, Rich" <>, IETF Discussion Mailing List <>
Content-Type: multipart/alternative; boundary="000000000000ea5d0d05bfc83cd8"
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 12 Apr 2021 15:33:54 -0000

On Mon, Apr 12, 2021 at 11:22 AM Michael Thomas <> wrote:

> On 4/12/21 3:36 AM, Andrew McConachie wrote:
> >
> >
> > When looking at how one might implement DANE for HTTPS/TLS I don’t see
> > any reason to handle these things sequentially. You don’t have to
> > change TLS you just have to do things asynchronously. Query for TLSA
> > RRs at the same time as sending the TLS ClientHello, and kill the
> > connection setup when/if DANE validation fails. On the off chance that
> > the DNS actually takes longer than TLS, maybe delay sending data via
> > TLS until DNS responds. But I bet this almost never happens.
> >
> Correct. Better: you can do the TLSA request at the same time as the
> A/AAAA request speculatively. Plus if you've ever had a TLSA record for
> that domain, you know it's pretty likely you'll get a fresh one even if
> the last one is expired, so the speculation is minimal.

Or replace the DNS resolver protocol with a privacy protected one in which
a single request packet can be answered by multiple response packets. This
maintains the 'stateless' nature of DNS queries but allows responses of
1-32 packets.

Then introduce a new DNS query for 'tell me how to connect to protocol X at
name Y'

Then a query to the responder can return the A record, the AAAA record, the
SRV record, any relevant TXT and TLSA records and the entire cert chain for
one particular host chosen by the responder.

Then to fix Rich's issue we introduce a subscription feature so that high
volume DNS resolvers can get push notification of changes in the CDN config.

It is really odd that you keep accusing me of being wedged on X.509v3
certificates when I have designed three other PKIs from scratch that don't
use ASN.1 at all, one of which is very widely used and another that I am
working on right now. X.509 is the only PKI I have worked on, the only
protocol I have worked on that I was not 1.0 on. I was 1.0 on applying it
to create the WebPKI.