Dear DNSOP, We are researchers from the University of Virginia currently studying Encrypted Client Hello (ECH) and DNS HTTPS/SVCB. We have a few questions related to the ECH Split Mode DNS configuration and would greatly appreciate any insights you could provide.
In the RFC draft-ietf-tls-esni-22, Section 3.1, it is stated: "In Split Mode, the provider is not the origin server for private domains. Rather, *the DNS records for private domains *point to the provider, and the provider's server relays the connection back to the origin server, who terminates the TLS connection with the client. Importantly, the service provider does not have access to the plaintext of the connection beyond the unencrypted portions of the handshake." We are seeking clarification on the interpretation of the DNS records in this context. Does this imply that domain owners should configure their A/AAAA records to point directly to the client-facing server, or does it refer only to the HTTPS resource record? If the configuration should point directly to the client-facing server, how does this server obtain the correct IP address of the back-end domain server? Additionally, does Split Mode assume a CDN-like environment for its intended operation? Thank you very much for your time and help. BR, Yizhe Zhang *PhD Candidate* *University of Virginia *
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
