On Thu, Jul 19, 2018 at 3:04 PM Kazuho Oku wrote: > Background: In ESNI, we would like to support two types of > deployments: 1) DNS and TLS servers operated by same entity, 2) DNS > and TLS server operated by separate entities.
Let me sketch how this could work with custom DNS record type. Let's call the new type ESNI. This is how the DNS records for CDN and our example.com domain may look like: cdn-provider.test. SOA ... cust.cdn-provider.test. A 192.0.2.100 cust.cdn-provider.test. AAAA 2001:db8::cafe:100 cust.cdn-provider.test. ESNI "..." example.com. SOA .... *.example.com. CNAME cust.cdn-provider.test. jabber.example.com. CNAME somewhere-else.test. no-esni.example.com. AAAA 2001:db8::beef:100 mail.example.com. A 198.51.100.1 mail.example.com. AAAA 2001:db8::beef:200 mail.example.com. ESNI "..." I think this configuration should support all the deployments you mentioned: - mail.example.com is configured explicitly. - jabber.example.com. configuration is outsourced to some other provider. We don't know if they provide A, AAAA, or ESNI. - no-esni.example.com is configured explicitly with no ESNI. - any other subdomain under example.com is outsourced to cust.cdn-provider.test which providers A, AAAA, and ESNI > My understanding is that ANAME is coming, but that is for address > records only. It cannot be used to delegate a specific type that you > choose. We all wish we had solution for this problem. At the moment, you can use just CNAME which takes all. If you wanna configure subset of A, AAAA, ESNI, you have to do that explicitly. Also, you cannot use CNAME at zone apex (for example.com.). Jan _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
