2018-07-19 14:48 GMT-04:00 Jan Včelák <j...@fcelda.cz>: > Patrick, I believe my understanding of the SNI consumer side is the > same. I'm talking about inability to use DNS wildcard on SNI producer > side: > > Let's say I get domain example.com and wildcard certificate > *.example.com. I want to run a couple of services on the subdomains of > example.com and I want to use ESNI. If a TLS client want's to connect > for instance to www.example.com, it will resolve www.example.com > A/AAAA record to get server IP and _esni.www.example.com TXT to get > the key to encrypt SNI. Is that right or did I miss something about > your draft? > > If the above true, then my objection is that I cannot use DNS wildcard > for _esni record and I will have to create explicit one for each > subdomain (service) on example.com. Another annoying thing is that > existence of _esni.www.example.com TXT record will prevent expansion > of *.example.com A/AAAA for www.example.com. The solution would be to > request new DNS RR type for ESNI which could be used with > *.example.com DNS name.
I agree that the issue exists. Thank you for pointing that out. I can see that using a dedicated type resolves the issue for the case where the DNS and TLS servers are operated by the same entity. However, that would not solve the issue if the servers are operated by different entities. Do you have any suggestions on how we can support that case as well? Background: In ESNI, we would like to support two types of deployments: 1) DNS and TLS servers operated by same entity, 2) DNS and TLS server operated by separate entities. The latter case is actually common; it is often the case for a website to select different service providers for DNS and CDN. In such case, we would like to use CNAME to delegate the ESNIKeys entry from the DNS of the website to that of the CDN (example show below). Otherwise, there is a risk of the key (which needs to be rotated) getting out of sync. _esni.example.com. IN CNAME 3600 _esni.cdn.example. However, this pattern does not work for wildcards, because CNAME is not type-specific. We would want to do something like below, but that is not possible. *.example.com IN A 192.0.2.1 # IP address provided by CDN *.example.com IN CNAME _esni.cdn.example. # delegate ESNI records only My understanding is that ANAME is coming, but that is for address records only. It cannot be used to delegate a specific type that you choose. > Jan > On Thu, Jul 19, 2018 at 2:27 PM Patrick McManus <pmcma...@mozilla.com> wrote: >> >> the tls server side (aka the cert side) can definitely use a wildcard (or a >> list of explicit names, or a mix of both!) But that's the SNI consumer. The >> draft is about the SNI producer which does not use wildcards. >> >> e.g. the ESNI work is about what is put in the TLS client handshake >> (historically the SNI and according this draft a new extension carrying the >> encrypted SNI) - and that is always an explicit name. And that's also the >> subject of the DNS query in order to obtain the keys. The DNS query and SNI >> leak similar amounts of information (although perhaps to different parties), >> so an encrypted DoT or DoH is an important part of the system. >> >> >> On Thu, Jul 19, 2018 at 1:53 PM, Tim Wicinski <tjw.i...@gmail.com> wrote: >>> >>> Patrick >>> >>> Can I go and order a SSL Cert with a standard name and a wildcard name for >>> SNI? We do that now. >>> >>> So, I think Jan is onto something. >>> >>> >>> On Thu, Jul 19, 2018 at 1:47 PM, Patrick McManus <pmcma...@mozilla.com> >>> wrote: >>>> >>>> >>>> On Thu, Jul 19, 2018 at 1:36 PM, Jan Včelák <j...@fcelda.cz> wrote: >>>>> >>>>> Hey, >>>>> >>>>> I just scanned the draft and focused mainly on the DNS bits. The >>>>> described method for publishing encryption keys for SNI in DNS won't >>>>> allow use of wildcard domain names. >>>>> >>>> >>>> Thanks! >>>> >>>> I believe the draft is OK on this point because wildcards aren't needed. >>>> While certificates can be valid for wildcard domains, the SNI is always a >>>> specific hostname (and the plaintext hostname informs the DNS question) >>>> >>>> >>>> >>>> _______________________________________________ >>>> DNSOP mailing list >>>> DNSOP@ietf.org >>>> https://www.ietf.org/mailman/listinfo/dnsop >>>> >>> >> -- Kazuho Oku _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
