Re: [TLS] DNS-based Encrypted SNI
Kazuho Oku <kazuhooku@gmail.com> Wed, 04 July 2018 01:37 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94DE0130E93 for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 18:37:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uQG9qQahVeK2 for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 18:37:02 -0700 (PDT)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DD4B130E8E for <tls@ietf.org>; Tue, 3 Jul 2018 18:37:01 -0700 (PDT)
Received: by mail-lf0-x233.google.com with SMTP id i15-v6so3067329lfc.2 for <tls@ietf.org>; Tue, 03 Jul 2018 18:37:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=D6mhL/jPwfE8XdekJhB+QWCzFlF4CfFT/dWUjLSmMGE=; b=bkviPWeEwxSK9dxebTAvw+6WWjJjveTdLReORbF1R2LsqtIwo9HYYIcm9ysC66KfDt YTZhNohyq5yAJnacZpDd3P2bgR4BKHD933US39Xt9aj8zC4HP9mXfkaNosqmIjfvcDaf l1PgBw/zlEI9zNLR91RnamI6tO2XFnpN4LxzVlfR0gAu+P5rWKUR3z6va/tlegV9BT9U KPSCXZr+BwxjFrm5H8ALGUzmCj8FvGDC+I3YyZB+JYFigxhFZUGsmtYqGAMN8kFrdIJe 0V3ZNg0CCmajmzQ3O/fB3QmeaJL2ELapaneG8ROb4chhuOnJiVB0pTBqVO3atUcMBq6j u8gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=D6mhL/jPwfE8XdekJhB+QWCzFlF4CfFT/dWUjLSmMGE=; b=EJE7+I4xOxbWGUaNZmSYsqeKC5W3+C/DrOV70Bri8jQN8+DInIHXzAJf/uwn9MVjcb qC08vcuhA0qDfeLBahWjSEIr7TziF690mvx5d8N5zU3PKbYUWjJGSruHg6lMgIy4T1wY +dykvZrST0nAQBJtCbciQRnzuksJKi3WZ4bbpL99XZ+NZGTo2Qd0rwIPCI2gn8F5sEDq mgBjUYtyOwFYOJSvYGs8ZNVwBDmIK3SNd+yyA+TX23ikGfRWDxjWr/L1jrurdTP43V3S hDdfxH0FoC6DrsOyLS7XcyJ4cnILOOqYvxJ1swcMUKJ5Yb2vFhWUOHqGkOhgSaIS81xM KvPw==
X-Gm-Message-State: APt69E2klm1AtzjbrNTA3p17xOmxB6eGMZaquN6/xBi4X9QO+QNji/6T BL+jN5JIehM/oDzuMd6sVbvTtf6sj6pZMUgNCZg=
X-Google-Smtp-Source: AAOMgpejjNaJSyj9i13UgPOxSgMdfrgcEJUjkoteV59EKhHpzJazl7APcwIv/WnCVFsYy2yF3hEZRm/hV9Xo4XJ8Szg=
X-Received: by 2002:a19:1510:: with SMTP id l16-v6mr31083lfi.88.1530668219843; Tue, 03 Jul 2018 18:36:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a2e:8996:0:0:0:0:0 with HTTP; Tue, 3 Jul 2018 18:36:59 -0700 (PDT)
In-Reply-To: <CABcZeBMzgZW_xqk=8go39VdHmC=6NJmscTADn+aeqGzceNidzQ@mail.gmail.com>
References: <CABcZeBMR=5QQjSS68H2mQoyG1cHVa5+Z_5SH0Md07kTBVSr3Sw@mail.gmail.com> <alpine.LRH.2.21.1807022343380.3445@bofh.nohats.ca> <CABcZeBNW+c_bvtEEjVaPisJ0Zy8OHQrYkfDMeQLKrak62ms0jw@mail.gmail.com> <alpine.LRH.2.21.1807031135170.7932@bofh.nohats.ca> <CABcZeBMzgZW_xqk=8go39VdHmC=6NJmscTADn+aeqGzceNidzQ@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Wed, 04 Jul 2018 10:36:59 +0900
Message-ID: <CANatvzyx8ykuZkM-cqN1GQ-3cHFW5KhADo_v_Z9GqrpkWoQ9xQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Paul Wouters <paul@nohats.ca>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/c1B1idgkFEJiYwCH-j33ROaOjZ8>
Subject: Re: [TLS] DNS-based Encrypted SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2018 01:37:05 -0000
2018-07-04 0:55 GMT+09:00 Eric Rescorla <ekr@rtfm.com>: > > > On Tue, Jul 3, 2018 at 8:40 AM, Paul Wouters <paul@nohats.ca> wrote: >> >> On Mon, 2 Jul 2018, Eric Rescorla wrote: >> >>> It is strongly recommended not to use TXT records. Why not use a >>> new >>> RRTYPE? Everything these days knows how to serve unknown record >>> types >>> (see RFC 3597). The only possibly exception is provisioning tools >>> of >>> small players, but this document starts of saying you basically >>> need >>> to be on a bulk hosting provider anyway. They can properly >>> provision. >>> >>> See: >>> >>> https://github.com/ekr/draft-rescorla-tls-esni/issues/7#issuecomment-388531906 >> >> >> [Can we keep the discussion within the IETF and the Note Well please. We >> also don't know what happens in 10 years with these links.] > > > If you look carefully, you'll see that this discussion happened weeks ago. I > was > just pointing you at it because you asked why we did it the way we did. > > With that said,IETF policy does not prohibit having discussions on Github.. > We do it > regularly in TLS and it's the standard policy in QUIC. > > >> >> quoting from that link: >> >> These facts lead to the conclusion that if we choose RRtype as the >> method, there would often be cases where the DNS record of the >> ESNIKey >> and the TLS server would be required to be operated by different >> entities. >> >> That seems to have confused two things with each other. I did not say >> anything about the location of the DNS record, only of the RRTYPE. >> Clearly, with the same location, it would be under control of the same >> entity, so I don't understand why you bring this up as a reason against >> using a dedicated RRTYPE. > > > I'm just quoting Kazuho here, so I'll let him respond to himself. The discussion was about comparing two approaches: a) use a new record type without suffix, b) use TXT record type with suffix. My argument was that we should select b because a has the deployability issue in regard to APEX names. It is true that the deployability issue is a concern related to the non-use of prefix. It is _not_ related to the selection of the record type. OTOH, I think that the reliability issue related to using a new record type exists, as others have pointed out. > > -Ekr > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- Kazuho Oku
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Short, Todd
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Brian Sniffen
- Re: [TLS] DNS-based Encrypted SNI Short, Todd
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Paul Wouters
- Re: [TLS] DNS-based Encrypted SNI Sniffen, Brian
- Re: [TLS] DNS-based Encrypted SNI Ben Schwartz
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Paul Wouters
- Re: [TLS] DNS-based Encrypted SNI Patrick McManus
- Re: [TLS] DNS-based Encrypted SNI Tim Hollebeek
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Kazuho Oku
- Re: [TLS] DNS-based Encrypted SNI Ilari Liusvaara
- Re: [TLS] DNS-based Encrypted SNI Ilari Liusvaara
- Re: [TLS] DNS-based Encrypted SNI Ilari Liusvaara
- Re: [TLS] DNS-based Encrypted SNI Stephen Farrell
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Eric Rescorla
- Re: [TLS] DNS-based Encrypted SNI Kathleen Moriarty
- Re: [TLS] DNS-based Encrypted SNI Stephen Farrell
- Re: [TLS] DNS-based Encrypted SNI Kathleen Moriarty
- Re: [TLS] DNS-based Encrypted SNI Kazuho Oku