Sujet : Re: [LINK] Calling time on DNSSEC?
De : ldo (at) *nospam* nz.invalid (Lawrence D'Oliveiro)
Groupes : comp.miscDate : 05. Dec 2024, 03:02:39
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <vir1jv$17csf$4@dont-email.me>
References : 1 2 3 4 5 6 7 8 9 10 11
User-Agent : Pan/0.161 (Chasiv Yar; )
On Wed, 4 Dec 2024 19:17:08 -0600, Grant Taylor wrote:
On 12/3/24 23:49, Lawrence D'Oliveiro wrote:
>
That cert depends on the domain name.
No, not quite.
The domain name can be used to inform which cert the server should use,
Which part of “depends on” are you having trouble with?
and that's EXACTLY what Server Name Indication (a.k.a. SNI) is. SNI is
part of TLS.
Which cannot be sent encrypted over HTTP because HTTP encryption
hasn’t been set up yet.
Also, consider protocols that don't send a Host: header (as HTTP does)
still using SNI to indicate which domain name is being connected to.
They don’t do “virtual hosting”, where multiple domains share the same
IP address, and is an important feature of HTTP. That’s why there is a
specific problem with that.
There are two rival specs for solving this: DNS-over-TLS, and
DNS-over-HTTPS. DNS-over-TLS (DoT) is a separate protocol that can be
identified as such by firewalls, while DNS-over-HTTPS (DoH) is
essentially indistinguishable from any other HTTPS traffic.
DoH has become quite controversial. On the one hand, corporates who
want to control traffic on their networks for security reasons hate
it. But on the other hand, it can be useful to bypass restrictions for
those who live under certain authoritarian regimes. You can’t have
it both ways.
Mozilla decided to go for DoH, for which a British association of ISPs
called them a “villain”
<
https://www.theregister.com/2019/07/10/ispa_clears_mozilla/>.
[LINK] Calling time on DNSSEC?
Re: [LINK] Calling time on DNSSEC?