Re: Skipping DNS resolutions with ORIGIN frame from Watson Ladd on 2017-07-18 (ietf-http-wg@w3.org from July to September 2017)

From: Watson Ladd <watson@cloudflare.com>
Date: Tue, 18 Jul 2017 11:43:51 -0700
To: Ryan Hamilton <rch@google.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Piotr Sikora <piotrsikora@google.com>
Message-ID: <CAN2QdAGGw3+y4yH3OedVNqbU2bYeXS9hyXP8z9qsY2mMGRVfMQ@mail.gmail.com>

On Tue, Jul 18, 2017 at 11:30 AM, Ryan Hamilton <rch@google.com> wrote:

> My apologies for starting this thread on Friday and then going on
> vacation! I'm catching up now.
>
> On Fri, Jul 14, 2017 at 10:32 AM, Martin Thomson <martin.thomson@gmail.com
> > wrote:
>
>> I get that you believe that DNS resolution is valuable here, but I
>> don't understand your point about "proxy configuration".  If you have
>> a proxy configured, you generally don't do the DNS lookup directly, so
>> are you saying that you would allow the coalescing for a CONNECT
>> tunnel?
>>
>
> Yes, I think so.
>
>
>> Can you verify that I understand your point about Alt-Svc: if the
>> origin had been previously contacted and Alt-Svc identified an IP
>> address that matches the current IP, then that could be a sufficient
>> signal.  Usually Alt-Svc is a name though, so that wouldn't help.
>>
>
> Sorry, I wasn't very clear. What I means is that if I connection to
> www.example.org which presents an *.example.org certificate, I need some
> second piece of information before using it for mail.example.com. In the
> alt-svc case, if an earlier connection to mail.example.org advertised
> alt-svc for www.example.org, then I would be comfortable coalescing the
> connection and would not need to do any resolution of mail.example.org.
>

This doesn't work for our major usecase, which is using an existing
connection to one of our customers to send the content of
cdnjs.cloudflare.com. If logging a certificate in CT is enough to enable
ORIGIN that is fine.

>
> Similarly, are you saying that CT could assert something that would
>> cause you to skip the DNS lookup for a name?
>>
>
> This was more of a straw-man than a concrete proposal, but yes. Folk in
> Chrome security thought that this was plausible, though probably required
> more thought.
>
> Or is this list just to make a more general point about raising the
>> bar for gaining the ability to use a name, and not something that is
>> specific to this particular example of DNS lookups?
>>
>
> Specific to the issue of skipping DNS lookups when deciding to trust a
> certificate.
>
>

Received on Tuesday, 18 July 2017 18:44:20 UTC