Re: [TLS] New Draft: Using DNS to set the SNI explicitly

"Salz, Rich" <rsalz@akamai.com> Tue, 07 February 2017 17:13 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05924129DC1 for <tls@ietfa.amsl.com>; Tue, 7 Feb 2017 09:13:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ei9DkQUwtZbp for <tls@ietfa.amsl.com>; Tue, 7 Feb 2017 09:13:10 -0800 (PST)
Received: from prod-mail-xrelay08.akamai.com (prod-mail-xrelay08.akamai.com [96.6.114.112]) by ietfa.amsl.com (Postfix) with ESMTP id 4E028129DBC for <tls@ietf.org>; Tue, 7 Feb 2017 09:13:08 -0800 (PST)
Received: from prod-mail-xrelay08.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id D652120001A; Tue, 7 Feb 2017 17:13:07 +0000 (GMT)
Received: from prod-mail-relay09.akamai.com (prod-mail-relay09.akamai.com [172.27.22.68]) by prod-mail-xrelay08.akamai.com (Postfix) with ESMTP id BFCFB200002; Tue, 7 Feb 2017 17:13:07 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1486487587; bh=ohopuCsCWa+gaxE6lHfbSHqrVJvyyA/nnZO8wRUbMFQ=; l=5096; h=From:To:Date:References:In-Reply-To:From; b=t7SszxE+gw6hFfgPrPl14IdD/9B3YZHHvYt2Ok9cmFJOvkOszMDo8KVYCN416Uhqc RBzV061z6B4hXWnelkmb2OCOGbzqxFFI3TKekLU0DseDiQQa5YVuv3bxU/lOFE6oC8 UfJaFvQD1DGxviVt4Pio0fZifYDyd6OE2JbcF4iQ=
Received: from email.msg.corp.akamai.com (usma1ex-cas3.msg.corp.akamai.com [172.27.123.32]) by prod-mail-relay09.akamai.com (Postfix) with ESMTP id 886241E08C; Tue, 7 Feb 2017 17:13:07 +0000 (GMT)
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 7 Feb 2017 12:13:07 -0500
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1178.000; Tue, 7 Feb 2017 12:13:06 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Ben Schwartz <bemasc@google.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] New Draft: Using DNS to set the SNI explicitly
Thread-Index: AQHSgVz2hjn7SSmHEU6HJqlcxXNoy6Fdx0jw
Date: Tue, 07 Feb 2017 17:13:06 +0000
Message-ID: <f94fe122889f478dae947f960ac048a9@usma1ex-dag1mb3.msg.corp.akamai.com>
References: <CAHbrMsCpCH2qSG=cZjMMuWbpzCn8dQhvaTDaRc1riwnYiKGjsg@mail.gmail.com>
In-Reply-To: <CAHbrMsCpCH2qSG=cZjMMuWbpzCn8dQhvaTDaRc1riwnYiKGjsg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.39.116]
Content-Type: multipart/alternative; boundary="_000_f94fe122889f478dae947f960ac048a9usma1exdag1mb3msgcorpak_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AwCPk_NZT4Y-F22DplPo3O-uk5U>
Subject: Re: [TLS] New Draft: Using DNS to set the SNI explicitly
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 17:13:12 -0000

I read the doc.  I’m a little dumb, but I think a more expanded ladder diagram for Figure 2 would have helped me.

The basic process is query DNS, get the SNI record value, and use that as the SNI value when connecting to the domain, right? But I’m not sure of the interaction of CNAME entries here.  Do you keep the SNI value in the first, or does cname-chasing erase/override the initial value?

And does this really provide much additional privacy?  Can’t the attacker/repressor also do DNS queries and figure it out?  There should probably be some text around that issue.