On Wed, Dec 19, 2018 at 01:47:35PM -0500, Ben Schwartz wrote: > On Wed, Dec 19, 2018 at 6:28 AM Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > > > But one could do that by > > including address masks in ESNI records so clients can match ESNI > > keys to addresses without breaking database normalization. > > > > No, this doesn't work. If the client has a AAAA RRSET and an ESNI RRSET, > and the ESNI RRSET contains a mask that is not compatible with the AAAA > RRSET, then the client can tell that it has the wrong IP addresses, but it > has no way to acquire the right IP addresses.
At least the client can tell the result is not going to work and disable ESNI. Whereas with addresses there is no indication anything is wrong, leading to potentially unrecoverable failure. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
