Re: [TLS] Two Multi-CDN proposals
Eric Rescorla <ekr@rtfm.com> Thu, 28 February 2019 13:13 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D06D130E7F for <tls@ietfa.amsl.com>; Thu, 28 Feb 2019 05:13:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mCW28a-oRTvM for <tls@ietfa.amsl.com>; Thu, 28 Feb 2019 05:13:17 -0800 (PST)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E57EA130E27 for <tls@ietf.org>; Thu, 28 Feb 2019 05:13:16 -0800 (PST)
Received: by mail-lf1-x132.google.com with SMTP id x206so7188310lff.3 for <tls@ietf.org>; Thu, 28 Feb 2019 05:13:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sRv9mB2WcfYoxhsmkqdkxcnFocTuTUHzfQIJutzRLgU=; b=febC8V/S+i5v+44Nd4Iq9T0ghGKTeKdRy3zd2MIFPrF0HM4StlPqWr7iY9WkmZQbJx ZJaxTC+PfFWaXbi4LUEE6uqfoPe2BqRfbv+fy6FKcfiWB7o/Vxf7gidPpLxiynYEmeVh 0454g80v+XjzqMRqWE8qwweTB363bab6z2qEXJkvV+eu66FxTzqWZx3o6GVm6Sv+ZpOn pSiEX2qHyVnFzrvsVFB2lAhI5sjrcwquaWaWr2Mc6ulpdwx+wN7f9bOGuWP9UrFfjByo P3QawVfaaayIezWgcF5/F8JNisQkk0EdhVa6NFHRCcdG5Nn7ChZwgkXP9X2NjZsEk1eR zYNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sRv9mB2WcfYoxhsmkqdkxcnFocTuTUHzfQIJutzRLgU=; b=oGFUc4r+EXaKjhkMUoAJirHesWqKwgxTxmxv/7cfsDeCMMHMmK89q8DGitiHN39NpL opVCYOxlf8XDRXF+o4tCCIa7w48eElzPGRmRdl5RMDEpSF7wLxsCg7lqYzTVxTrH3+0D Qt2AReSr288BBEp+UhjD0dlDtjoxTeFeQtQg0t9iQ+s3a7A2ALEjOMeAXpVhOoxcwJeY WKs9+5OnPu+SlrAGh4CbrtIglXS3vW/9IO1lqfjZhRKIpzVJ+F9DodyB9IjIKqYNC+my RKEE00Q94a2hLw1KmzDtIlVuBK2BTo6c1y6ZlCJYF2YKm1PpKt33ZAK8xRuhHmpOyok9 VQ7A==
X-Gm-Message-State: AHQUAua9j0XY2vat2gkKIb7eTHS616hJgXoOzmZQk57L8APEwST1DGA6 IU0kUzbLPF7hCGdLqTEyJHdPxbu65Dwxt/9m3kn2lA==
X-Google-Smtp-Source: AHgI3IaXuAm/mdBTw5xf5k6OARWK2nSDVtSbwCZAH6HAWpJvtPE9K6i/89vCFB1BwVdhmkOpb4TCwSabTSRubvi9ph4=
X-Received: by 2002:ac2:51bc:: with SMTP id f28mr4495089lfk.123.1551359594860; Thu, 28 Feb 2019 05:13:14 -0800 (PST)
MIME-Version: 1.0
References: <CAO8oSX=sPoLo78oX4qEEyeuck7CxM_uAqYPHEsY7BuYqBUaorg@mail.gmail.com> <0b19d021-8101-23ee-2899-450d103a8906@cs.tcd.ie> <CABcZeBN0mf7VFCKKdg9gH0=tCS7eLZz6M5_WJdaNG7XrJeyESw@mail.gmail.com> <0b854704-8f93-f9ad-c067-67f7f73cbbbf@cs.tcd.ie> <CABcZeBM61u=DtjQh+NkQF47MLyZS4EyuGBjDnsfjxz-z5kfjoQ@mail.gmail.com> <1eaaebf3-6e8a-ae84-0ab3-f977295c0721@cs.tcd.ie>
In-Reply-To: <1eaaebf3-6e8a-ae84-0ab3-f977295c0721@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 28 Feb 2019 05:12:37 -0800
Message-ID: <CABcZeBMeiCa8CGqab9cUH0ydOqBJKcALuA41ToAjJ1qFirrtDQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Christopher Wood <christopherwood07@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009229f30582f40db7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GxzmifrP3-CwayCtR2avS2lOp9g>
Subject: Re: [TLS] Two Multi-CDN proposals
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 13:13:19 -0000
On Thu, Feb 28, 2019 at 2:50 AM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > On 28/02/2019 02:40, Eric Rescorla wrote: > > On Wed, Feb 27, 2019 at 5:56 PM Stephen Farrell < > stephen.farrell@cs.tcd.ie> > > wrote: > > > >> > >> Hiya, > >> > >> On 28/02/2019 01:41, Eric Rescorla wrote: > >>> I think you're misunderstanding the scenario here: we have two CDNs A > and > >>> B, and some switching service in front, so that when you lookup > >> example.com, > >>> you get a CNAME to A or B, and then you get the ESNIKeySet > >> > >> (ESNIKeySet is a type you've just invented I guess?) > >> > > > > No. I forgot it was named ESNIKeys > > > > Phew:-) > > >>> for A or B as > >>> the case may be. So you're not going to get both ESNIKeys values. > >> > >> Yes, that's not the model I had in mind. I don't recall that having > >> been written down but maybe I missed it. (Where should I look?) > >> > > > > I believe this was discussed in Bangkok during the discussion of problems > > with the current structure. > > FWIW, I didn't take from that discussion that we only want > that model to be supported, but it may have passed me by > if that was stated. > No, it's merely the most challenging. > >> The model I had in mind was where the hidden site has it's own DNS > >> operator but >1 CDN/front-site with each of those having a private > >> ESNI value. (And if there's some front-end DNS cleverness, it'd > >> kick in when the CNAME from #137 is being chased down.) > >> > > > > I don't see how this is conflicts with what I said above, as that server > > still needs to ensure consistency. > > I don't think mine conflicts with the model you describe, > but I do think it has different consequences for how we > ought structure the ESNIKeys stuff. > > To be more specific, say in my model I have example.com > and want to see ESNI used for www.example.com and I > publish the zone for example.com including ESNIKeys. > > Now I want browsers to be able to use either cdn1.example > or cdn2.example to front for www.example.com where those > are independent CDNs. > > So I need to update my DNS zone periodically whenever > one or other CDN changes their ESNI public key share. > In my tiny little case doing this for a few domains, I > already have a small infrastructure that allows me to > do that kind of thing because of the need for regular > DNSSEC re-signing. (Mine currently works at a weekly > or daily cadence, but doing it hourly would be fine.) > > I'd like to do that via a simple update to my zone files > without having to unpack and re-pack the data structures > I get from cdn1 or cdn2. Now sure, I could write a new > tool to munge together what I get from the CDNs but > that's more work (that could go wrong) and doesn't match > my current work flows. And I suspect others may operate > similarly. > The vast majority of people have someone else manage their DNS, so I'm sure some others do, but I doubt many. > That's what leads me to think that we'd be better off > to have multi-valued answers when a browser looks up > the RRset at _esni.www.example.com with each separate > value matching one ESNI public share (or one CDN, > though I'd argue for one share per zone file stanza). > I don't really understand your point, because this *is* the expected design. > >> PS: I nonetheless maintain my points about the current ESNIKeys > >> structure - it's over generic and over complex and these PRs can > >> only make that worse:-) > >> > > > > Yes, I am aware this is your opinion, but I don't agree. > Fair enough:-) Personally I think that if we support > the kind of model above, such simplifications may well > naturally fall out of that work but we'll see I guess. > For example, I think that'd allow re-structuring the > ESNIKeys thing so the host_pointer in #137 no longer > needs to be an extension and hence we don't need the > concept of mandatory/critical extensions at all. > Well, obviously if you bake all the functionality into the record from the start, you won't need extensions, mandatory or otherwise. But I don't think this piece of functionality is well enough understood to tdo that with. -Ekr > Cheers, > S. > > > > > > > -Ekr > > >
- [TLS] Two Multi-CDN proposals Christopher Wood
- Re: [TLS] Two Multi-CDN proposals Mike Bishop
- Re: [TLS] Two Multi-CDN proposals Christopher Wood
- Re: [TLS] Two Multi-CDN proposals Stephen Farrell
- Re: [TLS] Two Multi-CDN proposals Eric Rescorla
- Re: [TLS] Two Multi-CDN proposals Stephen Farrell
- Re: [TLS] Two Multi-CDN proposals Eric Rescorla
- Re: [TLS] Two Multi-CDN proposals Kazuho Oku
- Re: [TLS] Two Multi-CDN proposals Stephen Farrell
- Re: [TLS] Two Multi-CDN proposals Eric Rescorla
- Re: [TLS] Two Multi-CDN proposals Stephen Farrell
- Re: [TLS] Two Multi-CDN proposals Eric Rescorla
- Re: [TLS] Two Multi-CDN proposals Stephen Farrell
- Re: [TLS] Two Multi-CDN proposals Christopher Wood
- Re: [TLS] Two Multi-CDN proposals Mike Bishop
- Re: [TLS] Two Multi-CDN proposals Stephen Farrell
- Re: [TLS] Two Multi-CDN proposals Mike Bishop
- Re: [TLS] Two Multi-CDN proposals Christopher Wood
- Re: [TLS] Two Multi-CDN proposals Nick Sullivan
- Re: [TLS] Two Multi-CDN proposals Eric Rescorla
- Re: [TLS] Two Multi-CDN proposals Mike Bishop
- Re: [TLS] Two Multi-CDN proposals Eric Rescorla
- Re: [TLS] Two Multi-CDN proposals Kazuho Oku
- Re: [TLS] Two Multi-CDN proposals Kazuho Oku
- Re: [TLS] Two Multi-CDN proposals Christopher Wood
- [TLS] More issues with current ESNIKEYS DNS appro… Erik Nygren
- Re: [TLS] More issues with current ESNIKEYS DNS a… Stephen Farrell