On Tue, Dec 18, 2018 at 4:14 PM Ilari Liusvaara <ilariliusva...@welho.com> wrote:
> On Tue, Dec 18, 2018 at 12:29:56PM -0500, Ben Schwartz wrote: > > I'd like to propose a solution to the ESNI + Multi-CDN problem (which has > > been discussed a lot on this list already). My suggestion is that we > > define the ESNI DNS record format as optionally including "stapled" > A/AAAA > > records. > > > > Server operators would have the option to publish an ESNI record that > only > > contains an ESNIKeys structure (like the current TXT record), or to > publish > > an ESNI record that also includes IPv4 and/or IPv6 addresses. (A > > Sufficiently Advanced authoritative DNS server would generate such > records > > automatically.) This kind of address stapling would only be required of > > CDN operators who want to support multi-CDN deployments. > > > > Clients would issue A, AAAA, and ESNI queries in parallel (as with the > > current TXT record). If an ESNI record exists, and it contains IP > > addresses, the client discards the results of the A or AAAA query. > > I do not think this will work: > > - The CDNs need control of ESNIkeys > - If you hand them this control, you can hand over address control at > the same time. > - Now you are in HTTP service discovery territory. > > I am not saying that HTTP service discovery is undesirable (it is one > of those perennial topics that are not seemingly bad ideas but never > seem to get done). > Sorry, I don't understand. What are you saying will not work? This proposal is not HTTP-related, nor is it any kind of service discovery. A CDN necessarily controls both the addresses and ESNIKeys; this proposal just stores that info in one RR instead of two. > Conversely, if one had HTTP service discovery, almost everything about > the CDN problems with ESNI would be solved instantly (what is not > solved by the same-owner rule). > > > -Ilari >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls