1. Multiple domains on the same host set the same SNI record. Possession of a global DNS database is no help to the adversary. The adversary still cannot distinguish the domains. This is the intended use.
Now I'm really confused. If the SNI value is just a cover name, and the client's going to send the real name later, why not just pick a fixed impossible cover name like SNI.INVALID and skip the SNI lookup?
Presumably if this became at all popular, everyone will send SNI.INVALID so it wouldn't leak anything interesting.
Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
