Hey, I just scanned the draft and focused mainly on the DNS bits. The described method for publishing encryption keys for SNI in DNS won't allow use of wildcard domain names.
Relevant text in the draft: The name of each TXT record MUST match the name composed of _esni and the query domain name. That is, if a client queries example.com, the ESNI TXT Resource Record might be: _esni.example.com. 60S IN TXT "..." "..." The reason is that _esni.*.example.com. doesn't work as a wildcard. If you want wildcards to work, new dedicated DNS record type will be needed. I think it should be fairly easy to get a new type allocated as this doesn't require special DNS processing. Cheers, Jan On Sat, Jul 7, 2018 at 3:19 PM Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > > I think that ESNI is a nice and simple idea to solve the privacy > problems of the current TLS SNI. I forward the draft here because it > uses DNS to publish keys, under a underscore prefix. > > > > ---------- Forwarded message ---------- > From: internet-dra...@ietf.org > To: <i-d-annou...@ietf.org> > Cc: > Bcc: > Date: Mon, 02 Jul 2018 16:30:21 -0700 > Subject: I-D Action: draft-rescorla-tls-esni-00.txt > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > > Title : Encrypted Server Name Indication for TLS 1.3 > Authors : Eric Rescorla > Kazuho Oku > Nick Sullivan > Christopher A. Wood > Filename : draft-rescorla-tls-esni-00.txt > Pages : 19 > Date : 2018-07-02 > > Abstract: > This document defines a simple mechanism for encrypting the Server > Name Indication for TLS 1.3. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-rescorla-tls-esni/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-rescorla-tls-esni-00 > https://datatracker.ietf.org/doc/html/draft-rescorla-tls-esni-00 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > I-D-Announce mailing list > i-d-annou...@ietf.org > https://www.ietf.org/mailman/listinfo/i-d-announce > Internet-Draft directories: http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
