Sujet : Re: [LINK] Calling time on DNSSEC?
De : gtaylor (at) *nospam* tnetconsulting.net (Grant Taylor)
Groupes : comp.miscDate : 05. Dec 2024, 03:57:47
Autres entêtes
Organisation : TNet Consulting
Message-ID : <vir4rb$kfq$1@tncsrv09.home.tnetconsulting.net>
References : 1 2 3 4 5 6 7 8 9 10 11 12
User-Agent : Mozilla Thunderbird
On 12/4/24 20:02, Lawrence D'Oliveiro wrote:
Which part of “depends on” are you having trouble with?
TLS doesn't /depend/ /on/ any domain information from the client.
It's perfectly possible to use a certificate that has nothing to do with the domain name the client was connected to.
N.B. that's entirely independent of if the client will continue using the connection after seeing that the name in the certificate (CN and / or SAN) doesn't match the domain name that the client thought it was connecting to.
But the server can use whatever certificate it wants to completely independently of the domain name that the client uses. Hence there is no dependency.
There is correlation and usually mutual agreement. But that's not a requirement.
Which cannot be sent encrypted over HTTP because HTTP encryption
hasn’t been set up yet.
Server Name Indication is part of TLS, not HTTP. HTTP comes /after/ SNI.
They don’t do “virtual hosting”, where multiple domains share the same IP address, and is an important feature of HTTP. That’s why there is a specific problem with that.
Link - Postfix — Multiple domain SSL certificates | by Dave Teu | Better Coder | Medium
-
https://medium.com/better-coder/postfix-multiple-domain-ssl-certificates-89c9f186ed73Link - Dovecot SSL configuration — Dovecot documentation
-
https://doc.dovecot.org/2.3/configuration_manual/dovecot_ssl_configuration/#with-client-tls-sni-server-name-indication-supportThere are two rival specs for solving this: DNS-over-TLS, and DNS-over-HTTPS.
DoT & DoH are about encrypted communications with a DNS server. The are completely independent of of TLS & SNI. What's more is that neither DoT, nor DoH can do shit about ensuring that the data sent through the DoT / DoH channel is valid. It's trivial to lie through DoT & DoH. Unless client's use DNSSEC through DoT & DoH to catch the lie.
You can even use SNI while establishing a DoH session.
DNS-over-TLS (DoT) is a separate protocol that can be identified as such by firewalls, while DNS-over-HTTPS (DoH) is essentially indistinguishable from any other HTTPS traffic.
DoH is still subject to the SNI exposure and can be filtered that way.
It's also possible to do traffic analysis to identify & block likely DoH traffic.
DoH has become quite controversial.
This doesn't have anything to do with TLS / SNI, so I'm not responding to it.
-- Grant. . . .
[LINK] Calling time on DNSSEC?
Re: [LINK] Calling time on DNSSEC?