Re: Skipping DNS resolutions with ORIGIN frame

On Fri, Jul 14, 2017 at 11:30 PM, Patrick McManus <>

> Hey Ryan, thanks for the comments.
> On Fri, Jul 14, 2017 at 3:18 PM, Ryan Hamilton <> wrote:
>> . It is crystal clear that saving DNS resolutions represents a real
>> performance win, especially for long-tail users.
> I want to re-emphasize here that I believe a perhaps larger win here is
> the privacy implication of a lookup never made - especially when combined
> with secondary certificates and exported authentiactors (still to come to
> h2). This achieves much of what encrypted SNI could do.

​Interesting point. It's a bit of a tradeoff between privacy and security
then, I suppose.

> My first question is would you be ok with just loosening the draft
> language a little bit.. i.e. instead of saying must not consult DNS, define
> this in a way that it is the client's decision.

​I think that'd definitely a step in the right direction, but I heard some
real security concerns about "blindly"​ skipping resolution in this case,
so I'm interested to hear what the group things about the advisability of
doing this.

As I've said before, I don't think the DNS is providing any real value here
> now that ORIGIN is playing the role of traffic routing. Indeed it is
> creating a privacy cost - so I'm eager to get it out of the loop.
> If we can't get consensus on that I'd prefer some kind of stapled
> assertion that kept the perf and privacy properties of the current draft. I
> guess that could be dnssec though that would certainly limit use for imo
> limited value..

​It does seem like a stapled DNSSEC response is a plausible option here!

> I'm not sure I fully understand what you're thinking of wrt expect-ct
> -does it fit that model?

​I don't think I was thinking about expect-ct per-se. Instead, folks were
thinking that we could consider skipping DNS resolutions when the
certificate is valid according to the CT logs that the client has access
too. This is a different sort of assertion from a second source that helps
mitigate the impact of a mis-issued certificate, which is the main fear of
skipping DNS.​

Received on Tuesday, 18 July 2017 18:38:53 UTC