On 2/7/2017 9:11 AM, Ben Schwartz wrote: > ... > > I proposed to treat IPv4 and IPv6 separately because a "dual stack" > domain owner might reasonably have very different configurations for > their IPv4 and IPv6 servers. For example, a domain owner might use > shared hosting for IPv4, but assign each domain to a unique IPv6 > address. Splitting the DNS record in this way allows the server > operator to disable SNI (by publishing an SNI record with empty RDATA) > for connections to the IPv6 servers, without affecting requests to the > IPv4 servers. >
I am not sure that this is the right trade-off. If some adversary censors based on the SNI, they will also be able to censor based on the IP address of the server (v4 or v6). The resistance to censorship (or monitoring) only happens if the connections are proxied through another service. I would think that you want the name of that proxy service in the DNS, independently of the network configuration. -- Christian Huitema
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
