To use Split Mode, a customer would use HTTPS records to direct clients to the CFS. These could be AliasMode records (if the customer does not require any customization of the HTTPS parameters), or they could be ServiceMode records that are periodically synchronized with the CFS's ECHConfig (e.g. using draft-ietf-tls-wkech).
The simplest split-mode CFS only supports ECH clients, so clients that don't use the HTTPS records (relying only on A/AAAA) cannot use it. This means that any ServiceMode records must use an explicit hostname, rather than ".", and a distinct set of IP addresses. However, a CFS that also implements forwarding of connections based on unencrypted SNI could be used by legacy clients as well. --Ben ________________________________ From: Yizhe Zhang <yz6me=40virginia....@dmarc.ietf.org> Sent: Saturday, November 2, 2024 12:07 PM To: dnsop@ietf.org <dnsop@ietf.org> Subject: [DNSOP] Questions Regarding ECH Split Mode DNS Configuration Dear DNSOP, We are researchers from the University of Virginia currently studying Encrypted Client Hello (ECH) and DNS HTTPS/SVCB. We have a few questions related to the ECH Split Mode DNS configuration and would greatly appreciate any insights Dear DNSOP, We are researchers from the University of Virginia currently studying Encrypted Client Hello (ECH) and DNS HTTPS/SVCB. We have a few questions related to the ECH Split Mode DNS configuration and would greatly appreciate any insights you could provide. In the RFC draft-ietf-tls-esni-22, Section 3.1, it is stated: "In Split Mode, the provider is not the origin server for private domains. Rather, the DNS records for private domains point to the provider, and the provider's server relays the connection back to the origin server, who terminates the TLS connection with the client. Importantly, the service provider does not have access to the plaintext of the connection beyond the unencrypted portions of the handshake." We are seeking clarification on the interpretation of the DNS records in this context. Does this imply that domain owners should configure their A/AAAA records to point directly to the client-facing server, or does it refer only to the HTTPS resource record? If the configuration should point directly to the client-facing server, how does this server obtain the correct IP address of the back-end domain server? Additionally, does Split Mode assume a CDN-like environment for its intended operation? Thank you very much for your time and help. BR, Yizhe Zhang PhD Candidate University of Virginia
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
