On Tue, Dec 18, 2018 at 10:46:29PM +0000, Salz, Rich wrote: > Here is how it usually works. Not everyone necessarily does it this > way, but in our experience almost all of them do. > > 1. Sites use a CNAME, usually using a host-specific name. > > 2. Sometimes the CDN owns the DNS entry.
There is also: 3. The site owns the zone apex DNS entry. And since it is zone apex, no CNAME can be used (yes, everything falls apart in practice if you do). So zone owner inserts a bunch of A/AAAA records pointing at the CDN (or worse, CDNs). Fixing the above is a perennial topic. Proposals include CNAME-like mechanisms scoped to just addresses, and HTTP service discovery mechanisms (as most popular things other than HTTP already do service discovery). > Having the ESNI RRtype include optional a/quadA records is something > we have talked about internally. If so, it should be part of the RRtype > definition, of course. We came to the same idea. Of course, we will > then have to fight the intent to make this "generic server record" > data such as draft-nygren-service-bindings. :) The only use for addresses in ESNI records I can come up with is scoping keys to practicular addresses. But one could do that by including address masks in ESNI records so clients can match ESNI keys to addresses without breaking database normalization. And if one is dealing with the third case above, the solutions are basically service discovery. And then one presumably would want it to be service-specific (as there are other rarer services that also lack discovery besides HTTP). > DNS is a strange and wondrous beast, like a bear riding a bicycle. > We should make sure that DNS folks are heavily involved in this draft. Here are some tips: - If you have name references, encode those in DNS wire format and preferably put them first, so that recursives can follow them and include records they think are helpful. - Do not assume the above happens (but do assume it may happen). Client has to act as a backstop. - DNS is 8-bit clean just fine with new types. - Records do not need explicit terminators. - There can be many records for each type on the same owner. - The unit of atomicity is set of records with the same (owner, class, type) combo. - The 64kB limit is not just for individual record but whole set of records with (owner, class, type). And to be safe, limit it to 63.5kB minus 12 bytes per record. The following are Bad Idea: - Using type or class ANY (a.k.a. *). - Type ANY does the wrong thing. - Class ANY does completely nonsensical thing. - Defining a new class. - Using class other than IN (Internet). - If you use labels, using lots of different labels at outermost level. - Putting anything into new type that DNS can not treat as a blob. - Assuming authoritatives do anything smart. - Assuming authoritatives follow any references. - Assuming different types are in any way atomic w.r.t. each other. - Copying TXT record wire format. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
