Sorry, I don't understand why this configuration would create a problem. Each SVCB record is a valid configuration. Clients should try one, and if it fails, they should try the other. [1]
A server should disambiguate which ECHConfig is in use by the config_id, or otherwise use trial decryption to determine which one is in use [2]. A configuration somewhat like this might even be useful, in a future scenario where you are rolling out a new ECHConfig (e.g. with postquantum ciphers) but have concerns about whether it is compatible with all of your existing clients. --Ben [1] https://www.rfc-editor.org/rfc/rfc9460.html#section-3-7 [2] https://www.ietf.org/archive/id/draft-ietf-tls-esni-22.html#section-7.1-3.1.1 ________________________________ From: Watson Ladd <watsonbl...@gmail.com> Sent: Saturday, October 5, 2024 6:16 PM To: dnsop <dnsop@ietf.org> Subject: [DNSOP] Multiple SVCB/HTTPS records for same TargetName: possible errata in RFC 9460? Dear dnsop, In the course of discussing implementations of ECH I and Stephen Farrel arrived at opposite conclusions about whether or not RFC 9460 prohibits or allows the following kind of configuration. The zone puzzle.test.defo.ie has the following contents: puzzle.test.defo.ie. 60 AAAA 2a00:c6c0:0:134:2:0:0:cd1 puzzle.test.defo.ie. 60 AAAA 2a00:c6c0:0:134:2:0:0:cd2 puzzle.test.defo.ie. 60 HTTPS 1 . ech=AEP+DQA/TwAgACANGCk5QZ0GWrmu1p7U3L2M73gyADqZkxhSy8x2/EIBLAAEAAEAAQAQY2QyLnRlc3QuZGVmby5pZQAA puzzle.test.defo.ie. 60 HTTPS 1 . ech=AEP+DQA/BAAgACCW2/dfOBZAtQU55/py/BlhdRdaauPAkrERAUwppoeSEgAEAAEAAQAQY2QxLnRlc3QuZGVmby5pZQAA (Apologies for small listing errors: DNS is not a technology I know nearly as much as I should) This is two different incompatible HTTPS records for the same TargetName. My view is that this is not permissible: a server that operates this way must expect either AAAA to receive a connection configured with either ECH record, as outlined in section 2.4.3. There is not an explicit prohibition on having two different HTTPS records for the same target name, but I think this should be addressed explicitly as it raises the question of which to use for a client and makes a lot of text not make sense. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
