Re: Skipping DNS resolutions with ORIGIN frame

On Sun, Jul 16, 2017 at 12:15 PM, Nick Sullivan <
> wrote:

> There is merit to both sides. Requiring DNS adds a weak second factor for
> routing decisions, which is useful in multi-CDN situations, or extra-broad
> certificates, where you want to prevent a CDN from routing extra traffic
> via ORIGIN. On the other hand, skipping DNS is a big step forward for both
> performance and privacy, it basically solves the encrypted SNI issue.
I think this notion of exchanging the DNS weak second factor for some other
factor(s) with better perf and privacy properties is promising. Let's work
with that and thanks especially to Ryan for getting the conversation going
in that general direction.

First, I'd like to add to the ORIGIN benefit list - beyond perf and privacy
I believe ORIGIN is operationally superior to the DNS coalescing of 7540.
By 7540 rules this DNS test will fail any time the zone operator can't
return a set that matches the resolution that happened when the connection
was established. For any DNS server that has more addresses to choose from
than it puts in the RR set, this can be a challenge. I _know_ that 7540
coalescing fails all of the time because of this (and if it were because of
traffic management (which it generally is not because I've debugged it with
the operators) then ORIGIN provides a finer control for that anyhow)

ISTM the primary concern is that the DNS provision amplifies the power of
the certificate (depending on how much value you think DNS has a second
factor that could be by a factor of 1.0001 to MAXINT - we probably don't
need to come to consensus on it) in the case of misissuance or compromise.

So curating from the ideas floating around I would suggest that a origin
client MUST skip the DNS check if
a] the connection certificate used to validate the origin comes with SCT.
This is to mitigate against mis-issuance. Given that we can expect all
public certifcates published a year from now to deal with CT, this seems
pretty easy operationally to me.

b] the connection certificate used to validate the origin passes a
revocation check. This is to mitigate against compromise. In the case OCSP
was not stapled the client could choose between ocsp and just doing the dns
(or ignoring the origin extension). So there
is motivation to staple.

I don't think we want to make a certificate extension that says "opt-in to
skip DNS" (it is tatamount in some ways to selecting for people who have
something to hide that they're willing to put in the work to deal with
certificate changes - not a good privacy feature)..


Received on Sunday, 16 July 2017 19:25:55 UTC