On Tue, May 21, 2024 at 01:27:29AM +0100, Stephen Farrell wrote: > > > What HTTPS RR parameters do we expect will see regular changes, > and controlled by whom? > > It seems fairly clear that ECHConfig values will be changed > often, e.g. hourly, which I think motivates the wkech thing, > but I'm unclear how often other bits of HTTPS RRs might > change and who may be in charge of those in real deployments. > > My mental picture is something like: > > what, changes how often, controlled by whom > ech, maybe hourly, client-facing server admin > alpn, rarely, client-facing server admin > tls-supported-groups, rarely, client-facing server admin > ipXhints, unpredictable, DNS admin? > > Does that look kinda right? Are there other things to > consider now?
Things get more complicated if server is behind gateway, because some alpn values are incompatible with such setup (especially h3). Those need to be filtered out. And another nice-to-have is sanity-checking ech public name (that it points to the correct machine). Gateways do not need to care about groups, so tls-supported-groups can be just taken from server. Then there is possibility that IPv4 has gateway but IPv6 is direct- routed. Then HTTPS entires need to be duplicated with potentially different alpn values (filtered for IPv4, full for IPv6). HTTP/3 requires IPv6 in such setup (as opposed to not working at all with server entirely behind gateway). -Ilari _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
