Ben Schwartz wrote: > Hi dnsop, > > I've written a draft proposal to improve the privacy of TLS connections, by > letting servers use the DNS to tell clients what SNI to send. > > https://tools.ietf.org/html/draft-schwartz-dns-sni-01 > > I've incorporated some helpful feedback [1] from the TLS WG, but now I > could use your help analyzing the DNS side. All comments welcome; this > draft will change based on your feedback. > > One particular issue that I could use advice on: should this be a new > record type, or should it reuse/repurpose an existing type like SRV or PTR? > > Thanks, > Ben > > [1] https://www.ietf.org/mail-archive/web/tls/current/msg22353.html
Hi, Ben: I'm kind of curious: your examples are pretty HTTP-centric, and HTTP already has some pretty strong features for origins to persistently modify how clients perform TLS, i.e., HTTP Strict Transport Security and HTTP Public Key Pinning, along with preloading of those settings by the browser vendors. Why not follow that same model for the functionality in your draft? -- Robert Edmonds _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
