On 07/07/16 02:07, Alex Rousskov wrote:
Q1. Is wildcard SNI "legal/valid"?
I do not know the answer to that question. The "*.example.com" name is
certainly legal in many DNS contexts. RFC 6066 requires HostName SNI to
be a "fully qualified domain name", but I failed to find a strict-enough
RFC definition of an FQDN that would either accept or reject wildcards
as FQDNs. I would not be surprised if FQDN syntax is not defined to the
level that would allow one to reject wildcards as FQDNs based on syntax
alone.
Wildcards can be specified in DNS zonefiles, but I don't think you can
ever look them up directly (rather, you look up "something.example.com"
and the DNS server itself decides to use the wildcard record to fulfil
that request - you never look up *.example.com itself).
Q2. Can wildcard SNI "make sense" in some cases?
Yes, of course. The client essentially says "I am trying to connect to
_any_ example.com subdomain at this IP:port address. If you have any
service like that, please connect me". That would work fine in
deployment contexts where several servers with different names provide
essentially the same service and the central "routing point" would pick
the "best" service to use. I am not saying it is a good idea to use
wildcard SNIs, but I can see them "making sense" in some cases.
Realistically, shouldn't the SNI reflect the DNS request that was made
to find the IP of the server you're connecting to? You would never make
a DNS request for '*.example.com' so I don't see a reason why you would
send an SNI that has a larger scope than the DNS request you made.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email: st...@opendium.com
Phone: sip:st...@opendium.com
Sales / enquiries contacts:
Email: sa...@opendium.com
Phone: +44-1792-824568 / sip:sa...@opendium.com
Support contacts:
Email: supp...@opendium.com
Phone: +44-1792-825748 / sip:supp...@opendium.com
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users