Re: [TLS] DNS-based Encrypted SNI

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 03 July 2018 19:50 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D0F6130DFB for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 12:50:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qucegHRPJIBO for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 12:50:04 -0700 (PDT)
Received: from mail1.bemta24.messagelabs.com (mail1.bemta24.messagelabs.com [67.219.250.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CE4A130DF6 for <tls@ietf.org>; Tue, 3 Jul 2018 12:50:04 -0700 (PDT)
Received: from [67.219.250.196] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-3.bemta.az-b.us-west-2.aws.symcld.net id 05/8C-01618-B63DB3B5; Tue, 03 Jul 2018 19:50:03 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1VSa0hTYRjuO+dsO5WL09T2NiprFNHiDKdROu0 eUT+CCgnsQp21k1ttU3YmrizQQAkvXcwVW2lGq9CK8pZSGGF3Na1FTiwRtaJEu5dFdjlnn92+ X8/3PM/7Pu/38dKkqleuoXm3i3c6OJtWPobqmFp7id3+KGFDdNf1GXFvOgNE3Pu2PLSIWOH3f yVWDJUSq4n1MqvDlOreIrM8/XaWSjuzxN174DSVhaoX5qExNMUUkJAzXCaXLipmPwHnKmtJfH mKoPDuS1keGk3LmWhob7hDSDiCWQQ3gmUhPpzRwbWCYzLMz4b2q6UKjI3wuWVALmGKmQ7VeRd CHiWzEcr7vBQOyEHQ8f0TKQmjxaaD76pDxYiZAENN50NhJKOGzmcnQhiYCOh52CzHOBJe9f2Q Yf9GKPnQOMJroeVJFoXxZAicyEdSGDA1BNR6PiqwwMJbj4fEeBUcrmtSYFMngufZJSNpOug7H Rgp2AG3smvENFrERtjvWY7pKVBR2EPh2gYSTu0dlGFhEgwfySWwMCCD7C5vqJGKMUNxRaMcCw dICN58ojiIdL5/nopxGQLvJZsv9Gfj4Z73GYV5Hfj3/lRgHAV1g8dJH1KIOBFqzJidBsX5PSO OuZDb+k5ehugKFGdyWlMsLjtntbGG6GjWYIhhDbGxrGFOvJ7bxZr06QKbwQsuNkbPZQh6Yad9 q82sd/CuKiRu2ijx1KMvL82NaCJNaCOVUZUJG1TjTKnmnRZOsGx2ptt4oRFNomktKJ0BURvv5 FN49zarTVzX3zLQYdoI5XJJVgppnF2wpmCpCcXSr8uLikh6+I2niFRRjlQHr1Erx0pWRrJa0h 1/Gv1e/QCarAlXInE0VVga77RbXf/r/UhNI2240iR1CbM6XH/y+sVRCHGUgsvx0igu7q+kyUJ HvMuWDmR+WzvXMK8iJmnc0dYvzWvSys1rugqT1Fdm+Sa0XXxcuNj/oMnfkPm1uHr1hZmJUzWf c1ydVVEvds+vTG7rrn/tS9Cqb982Bs96MnKb44ciEqft6l9pvL8lOdZZ1Z28oCVpnXFf0L4ps vVQZok76lr+/K37Tj43RFYFH+8xtmkpwcIZdKRT4H4B8UF3tvUDAAA=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-34.tower-344.messagelabs.com!1530647401!758586!1
X-Originating-IP: [216.32.181.176]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 30697 invoked from network); 3 Jul 2018 19:50:02 -0000
Received: from mail-by2nam01lp0176.outbound.protection.outlook.com (HELO NAM01-BY2-obe.outbound.protection.outlook.com) (216.32.181.176) by server-34.tower-344.messagelabs.com with AES256-SHA256 encrypted SMTP; 3 Jul 2018 19:50:02 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z/V87qq+FiWz00+UqMj15GMZEXGNKJ9NPSsuEajN18A=; b=D7Emj6BXDBHlXSQ/03ul6uFbyTlUQEoVuyg+23UBZ4mSBuguuim1pQXkGxa8PLRh07n2KkEDtQ5d/SSKPrxGgjsfwjZy3pTkpXyBBuhtpuQUejFa/BaLRDhYXna4QT1otUFd6vK2qXEvtW8iU3GJFJsLJ/ICHROASwRHJqhDtZs=
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1202.namprd14.prod.outlook.com (10.173.162.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.906.24; Tue, 3 Jul 2018 19:50:00 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b914:e52:554d:c7bb]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b914:e52:554d:c7bb%9]) with mapi id 15.20.0906.026; Tue, 3 Jul 2018 19:50:00 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Paul Wouters <paul@nohats.ca>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] DNS-based Encrypted SNI
Thread-Index: AQHUEl5DQHvGBn+nBkqNOZQLHEqyD6R83gWAgAEK4rA=
Date: Tue, 3 Jul 2018 19:50:00 +0000
Message-ID: <BN6PR14MB11065355B19B16FEDCEDF28083420@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <CABcZeBMR=5QQjSS68H2mQoyG1cHVa5+Z_5SH0Md07kTBVSr3Sw@mail.gmail.com> <alpine.LRH.2.21.1807022343380.3445@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1807022343380.3445@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [173.71.184.143]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR14MB1202; 7:DSlhlTh4GvPDTofbflAvy6WveZfNOgwu2GM3l/7jLrsHys+FvbsbuAZ0zfA1TtomW4HHuLZpkAMoU1lZAQjSX4RQ2NMmEjP+r4M+T+6ZYMWKYGuEW5TD2pps646iKN8HMfe/WpdEuqYNcCFtmk20ij6kZOhgIzdeYqgmVX/oeRGS8f61+V02Vag7y5l8Y0fzC4SCB3mYz4w7N/R8Bvd6yWYFDs95kkpVO0nPVfmCChxsi7SggOXVxiNKyHBNgcw+
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 2992acd7-5aa9-4bf6-7816-08d5e11e299a
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1202;
x-ms-traffictypediagnostic: BN6PR14MB1202:
x-microsoft-antispam-prvs: <BN6PR14MB120266DB2D1DBD352AC0110E83420@BN6PR14MB1202.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(20558992708506);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3231254)(944501410)(52105095)(3002001)(93006095)(93001095)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(6072148)(201708071742011)(7699016); SRVR:BN6PR14MB1202; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1202;
x-forefront-prvs: 0722981D2A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(136003)(396003)(39860400002)(376002)(346002)(199004)(189003)(13464003)(102836004)(9686003)(14444005)(5250100002)(74316002)(256004)(110136005)(8936002)(25786009)(478600001)(6436002)(11346002)(81156014)(81166006)(86362001)(2501003)(26005)(55016002)(105586002)(2906002)(8676002)(186003)(476003)(6306002)(229853002)(305945005)(97736004)(7736002)(53546011)(446003)(106356001)(3846002)(6116002)(316002)(33656002)(76176011)(68736007)(66066001)(6506007)(5660300001)(486006)(99936001)(966005)(99286004)(44832011)(53936002)(2900100001)(14454004)(7696005)(6246003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1202; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: T//W6AFT00SQWdeirZKCfdynx9M3NlQndEWN9Kb/ZH1bHRl9yVvHQoltr0a3a7W1XEZ8C7zQAjx1M8IZK7hvDMAyveDLLqr+hIdiljMvtrUFZLKgQfaeWqENGPXZ5gdhryBxzyTN37AcUmJkSmDmKQdWRvRYxcAXyUAiJH0URXOfrvlHMoMGIhaLGM1lkc313sEoGClFTJ7Rhh72B/mnNIBOj6xsmj31zY1LdzIJUPUGOXePMYxhrDvQ5LgpVgBmAvk6np91c3MXyZVAQRfRsZpZUyjLz20gFUsm2OsXskMxch2PX6KvDpVhfPA27/iyMAKDKOQeRnsV2/IIH0ZN/mcmEWEXuGyL4sITE4baD6Y=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_023B_01D412E5.7D52B4D0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2992acd7-5aa9-4bf6-7816-08d5e11e299a
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jul 2018 19:50:00.4499 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1202
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/M5B4Q6fC-CaaSQz1o94yOVZrA84>
Subject: Re: [TLS] DNS-based Encrypted SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 19:50:07 -0000

One of the things we found out with CAA is that this extremely optimistic view
of the support for unknown RR types by large hosting providers is not 
accurate.

-Tim

> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Paul Wouters
> Sent: Monday, July 2, 2018 11:53 PM
> To: tls@ietf.org
> Subject: Re: [TLS] DNS-based Encrypted SNI
>
> On Mon, 2 Jul 2018, Eric Rescorla wrote:
>
> >   https://tools.ietf.org/html/draft-rescorla-tls-esni-00
>
> > This is at a pretty early stage, so comments, questions, defect
> > reports welcome.
>
>
>  	This structure is placed in the RRData section of a TXT record as a
>  	base64-encoded string.  If this encoding exceeds the 255 octet limit
>  	of TXT strings, it must be split across multiple concatenated strings
>  	as per Section 3.1.3 of [RFC4408].
>
> It is strongly recommended not to use TXT records. Why not use a new
> RRTYPE? Everything these days knows how to serve unknown record types (see
> RFC 3597). The only possibly exception is provisioning tools of small 
> players,
> but this document starts of saying you basically need to be on a bulk 
> hosting
> provider anyway. They can properly provision.
>
> I need to think more about the document to see if there is really not 
> something
> simpler or better possible.
>
> Paul
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls