(Trimming bits down...) On 21/11/2018 00:59, Eric Rescorla wrote: > On Tue, Nov 20, 2018 at 4:36 PM Stephen Farrell <stephen.farr...@cs.tcd.ie> >> Aren't DNS answers RRsets? I may be wrong but I thought DNS >> clients have to handle that anyway, > > > Not really, because any of them is co-valid.
Sure, in DNS terms. > We currently permit >1 RR, but > actually > I suspect that it would be better to try to restrict this. Not sure we can and I suspect that'd raise DNS-folks' hackles, but maybe I'm wrong. >> That said, >1 ciphersuite wouldn't be so bad if that were >> the only list per RData instance. Or maybe one could get >> rid of it entirely via some conditional link the to set >> of suites in the CH, not sure. (Or just go fully experimental >> and say everyone doing esni for now has to use the same >> suite all the time.) >> > > I've implemented this and did not find it to be a major obstacle. > I do not think unnecessary duplication is a good tradeoff for > such a trivial implementation complexity reduction. Sure a list of ciphersuites isn't bad. But the current design has a set of keys and a set of ciphersuites and a set of extensions and a set of Rdata values in the RRset. Surely we can collapse at least most of those down to one list without too much of a problem. And as to trivial, I'd bet a beer on such complexity being a source of bugs every time. > I don't see any advantage to choosing a suboptimal design, just > based on it being Experimental. All designs are suboptimal for someone:-) >>> - get rid of not_before/not_after - I don't believe those >>>> are useful given TTLs and they'll just lead to failures >>>> >>> >>> I'm mostly ambivalent on this, but on balance, I think these are useful, >>> as they are not tied to potentially fragile DNS TTLs. >> >> If there were a justification offered for 'em I'd be >> ok with it, but TBH, I'm not seeing it. And my main >> experience of the similar dates on RRSIGs are that they >> just break things and don't help. > > > This has a totally different expiry behavior from RRSIGs, so I'm > not sure that's that useful an analogy. Disagree. They're both specifying a time window for DNS data. Same problems will arise is my bet. My main ask though for these time values is that their presence be explicitly justified. That's missing now, and I suspect won't be convincing, but maybe I'll turn out to be wrong. >> Put another way, I >> don't know what sensible code to write to decide between >> not connecting or sending SNI in clear if one of these >> dates is out of whack. (I be tempted to just ignore the >> time constraints and try send the SNI encrypted instead.) >> > > You should connect with SNI in the clear. As a generic browser, I guess so. As some specialised privacy sensitive application, not sure. As a library that could be used for either, I'm not clear there's a good answer other than ignoring the artificial time window and encrypting anyway. > And having to deploy a cron job equivalent for the DNS >> data is an order of magnitude harder than not. >> > > Nothing stops you having an infinite expiry. Nothing stops us deleting the useless dates:-) > They will also use different keys for x and y, so they will > have different records and can have different pad lengghts. All going well, yes. All not going well, the pad lengths may get out of whack, exposing names. > How about rounding up to the nearest power of 2 that's >> bigger than 5? (Or some such.) > > I don't know what this means. Ah sorry. I meant just take the length of the server name and pad to the shortest of 32, 64, 128 or 256 octets. (Or some other breakpoints.) I'm sure we could do some measurement so that an acceptable fraction of names fit in the shortest bucket. (Didn't DKG do work on that for DNS padding?) >> (As a >> nasty hack, you could even derive the padded_length >> from the value of the key_share and fronters could just >> keep generating shares until they get one that works:-) > > I thought you were complaining about complexity That's not complex, it's just waay hacky:-) It'd actually be simpler for the client to just take some (e.g. low order) bits of the key share as the padded_length. More work for the people generating the key share yes, (they need to keep iterating 'till they find a key share that works for their preferred padding_length) but that's easy, offline, done by fewer folks and removes a way of screwing up the ops. All-in-all, while it's too hacky it's not complex at all. Cheers, S. > > -Ekr > > >>> - I'm not convinced the checksum is useful, but it's not >>>> hard to handle >>>> - (Possibly) drop the base64 encoding, make it DNS operator >>>> friendly text (or else binary with a zonefile text format >>>> defined in addition) >>>> >>> >>> We are likely to drop the base64 encoding. >> >> Ack. >> >> And just to note again - I suspect a bunch of the above would >> be better sorted out as ancillary changes once a multi-CDN >> proposal is figured out. >> >> Cheers, >> S. >> >>> >>> -Ekr >>> >>> >>> >>>> [1] https://github.com/sftcd/openssl/tree/master/esnistuff >>>> _______________________________________________ >>>> TLS mailing list >>>> TLS@ietf.org >>>> https://www.ietf.org/mailman/listinfo/tls >>>> >>> >> >
0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
