IETF Logo Mail Archive

Re: Quic: the elephant in the room

"Salz, Rich" <rsalz@akamai.com> Sun, 11 April 2021 22:18 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAF253A20FB for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 15:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IiUEJK7wppDQ for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 15:18:46 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB8753A20F7 for <ietf@ietf.org>; Sun, 11 Apr 2021 15:18:46 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.43/8.16.0.43) with SMTP id 13BMHfPb004555; Sun, 11 Apr 2021 23:18:41 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=/+4nsXMXMw9kLWUl4H9ORFCqAUGYbmvSXT2vYsTuT+8=; b=eP60NUem53lQZX5KwCx/Cid4SGZZlSC/bG0+7yW+sC0Wtaelze9tAqft5aoOTdmsBLED 2LUTrF0TMyIBH8+yIpiNnkevTohBHZ0h3U7hZNA1xBR8u6FPBHhPLBxEAEdC8wGXeDJQ jy1doKCNrweMkOuhKZItl7s3S+7mCvOg/V+zO6EPVPKFalBSPlL/Ls2qoLYFw8e7B8b0 ZgdgP1vCOYWhKT+wTd1CclTvr6J9B3UyfAk8Vb01igAEvMKnm/1oHuafmF/vrntI+sgs XgWu2T2bJOBtsy4i7tgdwXHvARcltW8RXaqsVZ+KCdNYPTJ48I/bsUALE5X7kdsROFDi Ag==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19] (may be forged)) by m0050102.ppops.net-00190b01. with ESMTP id 37u13fgax5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 11 Apr 2021 23:18:41 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.43/8.16.0.43) with SMTP id 13BM44P6014540; Sun, 11 Apr 2021 18:18:40 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint2.akamai.com with ESMTP id 37u7byumh3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sun, 11 Apr 2021 18:18:40 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 11 Apr 2021 18:18:39 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.012; Sun, 11 Apr 2021 18:18:40 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Nico Williams <nico@cryptonector.com>
CC: IETF Discussion Mailing List <ietf@ietf.org>
Subject: Re: Quic: the elephant in the room
Thread-Topic: Quic: the elephant in the room
Thread-Index: AQHXLZZoemNfFNMHHkyER9D49fn4h6qtF2OAgAACTICAALlAgIACLyaA///j/IA=
Date: Sun, 11 Apr 2021 22:18:39 +0000
Message-ID: <94707E61-D7D2-4494-B88C-E229C8D8F3E4@akamai.com>
References: <3b25c77d-e721-e86d-6c34-a90039aab0e2@mtcc.com> <CAMm+Lwhi8xwFgZJL7jod2g4urZt_f+dm0tNi+3y1osqOfch2mQ@mail.gmail.com> <3593a01f-73f4-7d03-a85b-dff64a8b070e@mtcc.com> <506A780B-9C0D-4F4A-B045-098F6152F4DB@akamai.com> <20210411195854.GL9612@localhost>
In-Reply-To: <20210411195854.GL9612@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.48.21040401
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: text/plain; charset="utf-8"
Content-ID: <FF152C171C76504D84776B46CF180BEB@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-11_09:2021-04-09, 2021-04-11 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxscore=0 adultscore=0 phishscore=0 bulkscore=0 spamscore=0 malwarescore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104110171
X-Proofpoint-ORIG-GUID: GWtvyac771PQrBEyKH1sTncK4xvXs27E
X-Proofpoint-GUID: GWtvyac771PQrBEyKH1sTncK4xvXs27E
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-11_12:2021-04-09, 2021-04-11 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 lowpriorityscore=0 mlxlogscore=999 impostorscore=0 suspectscore=0 bulkscore=0 clxscore=1015 malwarescore=0 mlxscore=0 adultscore=0 phishscore=0 priorityscore=1501 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104110173
X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 184.51.33.19) smtp.mailfrom=rsalz@akamai.com smtp.helo=prod-mail-ppoint2
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/rfH3ue9thwnaA2y2xbTvyOaKrwo>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 22:18:52 -0000

>  Imagine an e-commerce site connected to
    > two CDN’s who needs to switch.

>    Not for DANE though.  If you want long-lived TLSA RRs + the ability to
    quickly change keys, then use TLSA RRs to "certify" an intermediate PKIX
    CA.

I don't understand.  Suppose www.ecomm.com, a big e-commerce site (or www.kingdom.com, a government-run broadcasting company, many examples work), uses cdn1 and cdn2 in some specific order and www.ecomm.com is CNAME'd to cdn1. Suppose they want to switch from cdn1 to cdn2 for some reason.

How does www.ecomm.comm switch their DNSSEC records quickly enough?  I'm sure I am missing something.

v2.23.0 | Report a Bug | By Email