- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Tue, 22 Feb 2022 17:13:46 +0000
- To: Ben Schwartz <bemasc@google.com>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-ID: <59a3c5bd-06d0-a3e1-41ce-cd97c28e8430@cs.tcd.ie>
Hi Ben, On 22/02/2022 15:57, Ben Schwartz wrote: > Given that this is a protocol for communication between an HTTP origin (as > the server) and the authoritative DNS server for its hostname (as the > client), I think we'll also need some input from DNSOP. Fair point. > > That context also helps me to see other things that might naturally fit > here, such as the list of supported HTTP versions (i.e. ALPN values), to > populate the HTTPS records correctly. Good point - I only publish very bare-bones HTTPS RRs for my test servers, so didn't include that, but will. I created an issue for that. [1] Cheers, S. [1] https://github.com/sftcd/wkesni/issues/1 > > On Mon, Feb 21, 2022 at 8:39 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > >> >> Hiya, >> >> TL;DR: I'm hoping to get feedback from httpbis folks >> related to draft-farrell-tls-wkesni [1]. >> >> The TLS WG is well down the (long;-) road developing the >> encrypted client hello (ECH) spec. [2] I implemented [3] >> that and as part of that, to support rotating ECH keys, I >> needed to implement a way to get newly generated keys into >> the DNS, within HTTPS RRs (or SVCB RRs) according to [4]. >> So I implemented [1] which allows a web server to make it's >> current set(s) of ECH keys available to DNS infrastructure >> via a .well-known URL. (In my case the web server has no >> dynamic DNS API, hence the need for something more.) >> This leaves control of the ECH private values with the >> web server (admins), which seems desirable in many cases, >> and control over modifying zone files to DNS admins which >> also seems desirable. >> >> This was briefly discussed at a few TLS WG sessions, but >> hasn't yet been "adopted." In part, that's because it's >> not clear whether or not this is a sufficiently useful >> way to handle the task, nor whether some web server >> administrators might be more interested in other tooling >> that might include this kind of feature. >> >> So, I'd appreciate feedback as to whether this seems like >> a useful tool to be in the toolbox or whether something >> else might be more useful, in particular for web server >> admins who don't have a dynamic DNS API available and for >> implementers developing web servers that need to support >> such deployments. >> >> Thanks, >> Stephen. >> >> [1] https://datatracker.ietf.org/doc/draft-farrell-tls-wkesni/ >> [2] https://datatracker.ietf.org/doc/draft-ietf-tls-esni/ >> [3] https://defo.ie/ >> [4] https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/ >> >
Attachments
- application/pgp-keys attachment: OpenPGP public key
Received on Tuesday, 22 February 2022 17:14:13 UTC