Hi Ben, Thank you so much for your insights! I have some follow-up questions regarding the Service Mode setups, and I would greatly appreciate your help.
Let’s say there’s a back-end domain on IP A, and a CFS on IP B. In order to successfully use ECH (SplitMode) in ServiceMode, would the operator need to: 1. In the HTTPS RR, set the ECH parameter to point to the CFS domain. 2. At the same time, for A/AAAA records, set the IP address to point to the CFS's IP, so that the browser can establish a direct connection to the CFS server. If the back-end server's IP is still resolved to the original back-end server’s IP, it seems the client browser would initiate the connection to the back-end server for ECH verification, and potentially fail. Please let me know if there are any misunderstandings in my approach. I greatly appreciate your time and help! Best regards, Yizhe On Mon, Nov 4, 2024 at 10:31 AM Ben Schwartz <bemasc= 40meta....@dmarc.ietf.org> wrote: > To use Split Mode, a customer would use HTTPS records to direct clients to > the CFS. These could be AliasMode records (if the customer does not > require any customization of the HTTPS parameters), or they could be > ServiceMode records that are periodically synchronized with the CFS's > ECHConfig (e.g. using draft-ietf-tls-wkech). > > The simplest split-mode CFS only supports ECH clients, so clients that > don't use the HTTPS records (relying only on A/AAAA) cannot use it. This > means that any ServiceMode records must use an explicit hostname, rather > than ".", and a distinct set of IP addresses. However, a CFS that also > implements forwarding of connections based on unencrypted SNI could be used > by legacy clients as well. > > --Ben > ------------------------------ > *From:* Yizhe Zhang <yz6me=40virginia....@dmarc.ietf.org> > *Sent:* Saturday, November 2, 2024 12:07 PM > *To:* dnsop@ietf.org <dnsop@ietf.org> > *Subject:* [DNSOP] Questions Regarding ECH Split Mode DNS Configuration > > Dear DNSOP, We are researchers from the University of Virginia currently > studying Encrypted Client Hello (ECH) and DNS HTTPS/SVCB. We have a few > questions related to the ECH Split Mode DNS configuration and would greatly > appreciate any insights > Dear DNSOP, > > We are researchers from the University of Virginia currently studying > Encrypted Client Hello (ECH) and DNS HTTPS/SVCB. We have a few questions > related to the ECH Split Mode DNS configuration and would greatly > appreciate any insights you could provide. > > In the RFC draft-ietf-tls-esni-22, Section 3.1, it is stated: > "In Split Mode, the provider is not the origin server for private domains. > Rather, *the DNS records for private domains *point to the provider, and > the provider's server relays the connection back to the origin server, who > terminates the TLS connection with the client. Importantly, the service > provider does not have access to the plaintext of the connection beyond the > unencrypted portions of the handshake." > > We are seeking clarification on the interpretation of the DNS records in > this context. Does this imply that domain owners should configure their > A/AAAA records to point directly to the client-facing server, or does it > refer only to the HTTPS resource record? > > If the configuration should point directly to the client-facing server, > how does this server obtain the correct IP address of the back-end domain > server? Additionally, does Split Mode assume a CDN-like environment for its > intended operation? > > Thank you very much for your time and help. > > BR, > Yizhe Zhang > *PhD Candidate* > *University of Virginia * >
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
