IETF Logo Mail Archive

Re: [TLS] ESNI and Multi-CDN

"Salz, Rich" <rsalz@akamai.com> Tue, 18 December 2018 22:46 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A740C130F29 for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 14:46:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.765
X-Spam-Level:
X-Spam-Status: No, score=-2.765 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id md_LplB-8gbd for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 14:46:43 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4D8E12D7EA for <tls@ietf.org>; Tue, 18 Dec 2018 14:46:43 -0800 (PST)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.27/8.16.0.27) with SMTP id wBIMgHBe006238; Tue, 18 Dec 2018 22:46:40 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=Z94mHTt0DEFuEM/GAXthLO0gJh76T8e7jo9woT69whc=; b=iS4z9S3RKXPlC0RfvfDf5S/2mM6uJC5fZQ4ARSS1sMlWa8VEfeZFauPjCTZq2O02wd1w gVQsDl1Qjm0IyqiM2syjcHcmmDlLgZDHQCIAaHwLma665pAYe7yTt/NDuhVwekcusln/ G+JhRES8lY+2Me8yu1zM1K6LcIq0ZzeEog6xiS2Lw19vBumb/yzPKztmpKp0+kxTky93 PNXGyERKAp5l/8OvBARLq+NrjfJwtNdbNy79zZKrgSKbgemdsqedua7JcBJdg7X3wTDG QxSVq9RPar2uarSy1QMSNfHODqywPvCtcjh7gM6fwVWcccfqeqoMTePKUig9qLh9v+D0 og==
Received: from prod-mail-ppoint4 (a96-6-114-87.deploy.static.akamaitechnologies.com [96.6.114.87] (may be forged)) by m0050096.ppops.net-00190b01. with ESMTP id 2pephp3jdu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 18 Dec 2018 22:46:40 +0000
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.21/8.16.0.21) with SMTP id wBIMWaUI019446; Tue, 18 Dec 2018 17:46:39 -0500
Received: from email.msg.corp.akamai.com ([172.27.27.25]) by prod-mail-ppoint4.akamai.com with ESMTP id 2pcwu1x01r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 18 Dec 2018 17:46:39 -0500
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb5.msg.corp.akamai.com (172.27.27.105) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 18 Dec 2018 16:46:30 -0600
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1365.000; Tue, 18 Dec 2018 16:46:30 -0600
From: "Salz, Rich" <rsalz@akamai.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Ben Schwartz <bemasc@google.com>
CC: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] ESNI and Multi-CDN
Thread-Index: AQHUlvdfzmyswisZZkmK1IQ9jYCvlqWFZACAgAADZoCAAAZZAP//vB2A
Date: Tue, 18 Dec 2018 22:46:29 +0000
Message-ID: <8ED2A93D-3FC8-43C6-A15D-008F0890DEF4@akamai.com>
References: <CAHbrMsCDR4oQzJhkcF05+wSKEoDEnACLH8D-os34xoNE9hyWHQ@mail.gmail.com> <20181218211435.GB592@LK-Perkele-VII> <CAHbrMsAVNua0TDinVZr7zaO5R_MYSOVwzKDvb1GzeXXvgRJQ9g@mail.gmail.com> <20181218214928.GD592@LK-Perkele-VII>
In-Reply-To: <20181218214928.GD592@LK-Perkele-VII>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.14.0.181208
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.40.209]
Content-Type: text/plain; charset="utf-8"
Content-ID: <09514C5B056FA746ABD7CE933FE21ED1@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-18_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812180183
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-18_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812180185
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uo-wGNuscfXpgy-Ct60ogdG3iEQ>
Subject: Re: [TLS] ESNI and Multi-CDN
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 22:46:45 -0000

Here is how it usually works.  Not everyone necessarily does it this way, but in our experience almost all of them do.

1. Sites use a CNAME, usually using a host-specific name.  E.g., www.akamai.com is a CNAME to www.akamai.com.edgekey.net  The DNS entry for the origin may be controlled by Akamai (under direction of our customer, of course), or it may be controlled by them or by something like a CDN-brokerage company.  For example, www.paypal.com CNAMEs to www.glob.paypal.com, where GLB presumably stands for Global Load Balancer.

2. Sometimes the CDN owns the DNS entry. In my experience this is more common for "anycast" types of services. For example, uureading.org returns A/QuadA records pointing into a CloudFlare address block.

Having the ESNI RRtype include optional a/quadA records is something we have talked about internally. If so, it should be part of the RRtype definition, of course. We came to the same idea. Of course, we will then have to fight the intent to make this "generic server record" data such as draft-nygren-service-bindings. :)

DNS is a strange and wondrous beast, like a bear riding a bicycle.  We should make sure that DNS folks are heavily involved in this draft.

v2.23.0 | Report a Bug | By Email