Re: [TLS] ESNI and Multi-CDN

[Ilari Liusvaara <ilariliusvaara@welho.com>]

On Tue, Dec 18, 2018 at 10:46:29PM +0000, Salz, Rich wrote:
> Here is how it usually works.  Not everyone necessarily does it this
> way, but in our experience almost all of them do.
> 
> 1. Sites use a CNAME, usually using a host-specific name.
> 
> 2. Sometimes the CDN owns the DNS entry. 

There is also:

3. The site owns the zone apex DNS entry. And since it is zone apex, no
CNAME can be used (yes, everything falls apart in practice if you do).
So zone owner inserts a bunch of A/AAAA records pointing at the CDN (or
worse, CDNs).

Fixing the above is a perennial topic. Proposals include CNAME-like
mechanisms scoped to just addresses, and HTTP service discovery
mechanisms (as most popular things other than HTTP already do service
discovery).

> Having the ESNI RRtype include optional a/quadA records is something
> we have talked about internally. If so, it should be part of the RRtype
> definition, of course. We came to the same idea. Of course, we will
> then have to fight the intent to make this "generic server record"
> data such as draft-nygren-service-bindings. :)

The only use for addresses in ESNI records I can come up with is
scoping keys to practicular addresses. But one could do that by
including address masks in ESNI records so clients can match ESNI
keys to addresses without breaking database normalization.

And if one is dealing with the third case above, the solutions are
basically service discovery. And then one presumably would want it to
be service-specific (as there are other rarer services that also lack
discovery besides HTTP).

> DNS is a strange and wondrous beast, like a bear riding a bicycle. 
> We should make sure that DNS folks are heavily involved in this draft.

Here are some tips:

- If you have name references, encode those in DNS wire format and
  preferably put them first, so that recursives can follow them and
  include records they think are helpful.
- Do not assume the above happens (but do assume it may happen). Client
  has to act as a backstop.
- DNS is 8-bit clean just fine with new types.
- Records do not need explicit terminators.
- There can be many records for each type on the same owner.
- The unit of atomicity is set of records with the same (owner,
  class, type) combo. 
- The 64kB limit is not just for individual record but whole set of
  records with (owner, class, type). And to be safe, limit it to 63.5kB
  minus 12 bytes per record.

The following are Bad Idea:

- Using type or class ANY (a.k.a. *). 
  - Type ANY does the wrong thing.
  - Class ANY does completely nonsensical thing.
- Defining a new class.
- Using class other than IN (Internet).
- If you use labels, using lots of different labels at outermost level.
- Putting anything into new type that DNS can not treat as a blob.
- Assuming authoritatives do anything smart.
- Assuming authoritatives follow any references.
- Assuming different types are in any way atomic w.r.t. each other.
- Copying TXT record wire format.


-Ilari