IETF Logo Mail Archive

Re: [TLS] Alternative ESNI?

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 18 December 2018 22:05 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78B38129BBF for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 14:05:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g7U_-WMzE-Uh for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 14:04:58 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A5D3126F72 for <tls@ietf.org>; Tue, 18 Dec 2018 14:04:58 -0800 (PST)
Received: from [10.200.0.109] (unknown [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 967731837A for <tls@ietf.org>; Tue, 18 Dec 2018 17:04:57 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CABcZeBPWL-BaaWvrkjmyaqUNccctEsYegN3i-JPT+brVCRHZRQ@mail.gmail.com>
Date: Tue, 18 Dec 2018 17:04:56 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: IETF TLS WG <tls@ietf.org>
Message-Id: <C4BB5A2A-E8A2-4E59-8733-8A8F90B3CB71@dukhovni.org>
References: <20181215025346.GJ15561@localhost> <CABcZeBM_7LF-UDH8NR3Kad-8zSJBWwuNsDEJVAagHf1cV4Ow6g@mail.gmail.com> <alpine.LRH.2.21.1812161439170.14874@bofh.nohats.ca> <CABcZeBNyF6kP7iHZjDq0w+OtOOj5d67J8sCkLYwA5xaFTW8Q8Q@mail.gmail.com> <CAHbuEH7R36YyFN=7ctMUHMndgt93TKM9srM4YkdBqL05dLyscQ@mail.gmail.com> <CABcZeBPWL-BaaWvrkjmyaqUNccctEsYegN3i-JPT+brVCRHZRQ@mail.gmail.com>
To: IETF TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EjC2xmPYzxGOvbEkRQx7Nqv_aZc>
Subject: Re: [TLS] Alternative ESNI?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 22:05:00 -0000


> On Dec 18, 2018, at 4:48 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> To my knowledge, no generic browser client does DNSSEC validation, for the reason that when people have looked at it it created unaceptable failure rates.

Agreed.  That's a pretty safe bet.  The last-mile problem is still with us for
now, though of course DoH/DoT change that too.  The failure rates are almost
never on the backbone, but rather between the user and a crippled local resolver.
To the extent that ESNI presumes DoH/DoT, DNSSEC might become more viable, but
we're certainly not there yet.

And even though public recursive resolvers often do validation, most domains
are as yet unsigned, the signed domains are still heavily concentrated at
a few registries and hosting providers in Northern Europe, and separately Brazil.

Adoption elsewhere is still light, adoption barriers at registries and registrars
are are a major obstacle, that is slowly starting to change as some start to
implement CDS (RFC8078) support.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email