Re: [TLS] ESNI and Multi-CDN

Tue, 18 Dec 2018 13:27:44 -0800 

On Tue, Dec 18, 2018 at 4:14 PM Ilari Liusvaara <ilariliusva...@welho.com>
wrote:

> On Tue, Dec 18, 2018 at 12:29:56PM -0500, Ben Schwartz wrote:
> > I'd like to propose a solution to the ESNI + Multi-CDN problem (which has
> > been discussed a lot on this list already).  My suggestion is that we
> > define the ESNI DNS record format as optionally including "stapled"
> A/AAAA
> > records.
> >
> > Server operators would have the option to publish an ESNI record that
> only
> > contains an ESNIKeys structure (like the current TXT record), or to
> publish
> > an ESNI record that also includes IPv4 and/or IPv6 addresses.  (A
> > Sufficiently Advanced authoritative DNS server would generate such
> records
> > automatically.)  This kind of address stapling would only be required of
> > CDN operators who want to support multi-CDN deployments.
> >
> > Clients would issue A, AAAA, and ESNI queries in parallel (as with the
> > current TXT record).  If an ESNI record exists, and it contains IP
> > addresses, the client discards the results of the A or AAAA query.
>
> I do not think this will work:
>
> - The CDNs need control of ESNIkeys
> - If you hand them this control, you can hand over address control at
>   the same time.
> - Now you are in HTTP service discovery territory.
>
> I am not saying that HTTP service discovery is undesirable (it is one
> of those perennial topics that are not seemingly bad ideas but never
> seem to get done).
>

Sorry, I don't understand.  What are you saying will not work?

This proposal is not HTTP-related, nor is it any kind of service
discovery.  A CDN necessarily controls both the addresses and ESNIKeys;
this proposal just stores that info in one RR instead of two.


> Conversely, if one had HTTP service discovery, almost everything about
> the CDN problems with ESNI would be solved instantly (what is not
> solved by the same-owner rule).
>
>
> -Ilari
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to