Re: [TLS] draft-ietf-tls-esni feedback

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 23 October 2019 15:41 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C0D120AD6 for <tls@ietfa.amsl.com>; Wed, 23 Oct 2019 08:41:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aA-FvIi9YBZd for <tls@ietfa.amsl.com>; Wed, 23 Oct 2019 08:41:06 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4B77120AD7 for <tls@ietf.org>; Wed, 23 Oct 2019 08:41:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id D2CFE45518; Wed, 23 Oct 2019 18:41:03 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id 5GaovYxT8MBY; Wed, 23 Oct 2019 18:41:03 +0300 (EEST)
Received: from LK-Perkele-VII (87-100-246-37.bb.dnainternet.fi [87.100.246.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id CE30B2315; Wed, 23 Oct 2019 18:40:59 +0300 (EEST)
Date: Wed, 23 Oct 2019 18:40:59 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: Bill Frantz <frantz@pwpconsult.com>, TLS List <tls@ietf.org>
Message-ID: <20191023154059.GA471205@LK-Perkele-VII>
References: <CAChr6SwM0cAH4ShJdw6WpV3rwLUPoaqB+imvv61XohLaLiS7jA@mail.gmail.com> <r480Ps-10146i-D05F1D3FC7BC4B899AE60F28D44FDF74@Williams-MacBook-Pro.local> <CACsn0cmhJ5yhZ7h7skgJLdbH9ykcOw6_9D+h7hx8Y8YE69nMaA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CACsn0cmhJ5yhZ7h7skgJLdbH9ykcOw6_9D+h7hx8Y8YE69nMaA@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1dY473qABhLqAhdTV4q96zrjpyo>
Subject: Re: [TLS] draft-ietf-tls-esni feedback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 15:41:09 -0000

On Wed, Oct 23, 2019 at 07:52:33AM -0700, Watson Ladd wrote:
> On Wed, Oct 23, 2019 at 7:35 AM Bill Frantz <frantz@pwpconsult.com>; wrote:
> >
> > A perhaps radical suggestion:
> >
> > Make the server name field fixed length e.g. 256 bytes. Longer
> > server names are not supported and clients MUST NOT send them.
> > (Both client and server can't use them because they won't fit in
> > the fixed length field.)
> 
> The limit of server name in DNS is 260 bytes, so that limit already
> exists. No reason to shorten it elsewhere!

Got a reference for the 260 byte limit?


According to RFC 1035, the maximum DNS hostname length is 253 bytes:

"To simplify implementations, the total length of a domain name (i.e.,
label octets and label length octets) is restricted to 255 octets or
less."

This is for wire-form encoding, which has 2 bytes of overhead (initial
and terminal lengths), so maximum 253 bytes for the hostname.


However RFC2181 says:

"A full domain name is limited to 255 octets (including the separators).
The zero length full name is defined as representing the root of the DNS
tree, and is typically written and displayed as '.'."

Which could be interpretted as that the final length is not part of the
255 byte limit, and thus DNS name being maximum of 256 octets,
corresponding to maximum hostname length of 254 bytes. However, dig
utility refuses to send such queries (can send 253 bytes just fine), so
I presume that the 255 octet limit is intended to include the terminal
length -> maximum hostname length is 253 octets.


I can not find any justification for higher limit from any RFC updating
1035 or 2181. And I would expect any such limit to have been
significantly above 253 bytes.



-Ilari