On Tue, Dec 18, 2018 at 2:56 PM Salz, Rich <rs...@akamai.com> wrote: > > - I'd like to propose a solution to the ESNI + Multi-CDN problem > (which has been discussed a lot on this list already). My suggestion is > that we define the ESNI DNS record format as optionally including "stapled" > A/AAAA records. > > > > As in a multiple response? That might be interesting, but it allows an > adversary to just strip those responses, right? >
I don't think I mean "multiple response" in the DNS sense. What I mean by "stapling" is "the ESNI RRTYPE has a defined format that can convey both the ESNIKeys structure and some IP addresses". This is all RFC 3597-compliant, and is a unified opaque blob to DNSSEC. > > This kind of address stapling would only be required of CDN operators > who want to support multi-CDN deployments. > > > > Or anyone who maintains DNS records for a site that wants multi-CDN. Many > of our customers, for example, maintain their own DNS. It’d say its common > because they want switch quickly (very short TTL). Yes, this usually is > okay because the initial redirection is done via CNAME, but it is worth > calling out that explicitly. > OK, to be precise, the stapling would be required of multi-CDN customers _if_ they do not use CNAME, and instead maintain the various CDNs' A/AAAA records in their own zone. As I think you are noting, this is unusual; most multi-CDN customers use CNAME, which (in this design) means that they do not have to think about ESNI at all. > > > /r$ > > >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
