| Deutsch English Français Italiano |
|
<vir1jv$17csf$4@dont-email.me> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Lawrence D'Oliveiro <ldo@nz.invalid> Newsgroups: comp.misc Subject: Re: [LINK] Calling time on DNSSEC? Date: Thu, 5 Dec 2024 02:02:39 -0000 (UTC) Organization: A noiseless patient Spider Lines: 39 Message-ID: <vir1jv$17csf$4@dont-email.me> References: <67464f37@news.ausics.net> <vi68n4$k3r$1@tncsrv09.home.tnetconsulting.net> <wwva5dlul1r.fsf@LkoBDZeT.terraraq.uk> <vi8tkg$8ha$1@tncsrv09.home.tnetconsulting.net> <wwva5dj91v4.fsf@LkoBDZeT.terraraq.uk> <vim7jd$3t1l3$1@dont-email.me> <viobpa$s79$2@tncsrv09.home.tnetconsulting.net> <viod8c$fp5p$1@dont-email.me> <vion3k$fau$1@tncsrv09.home.tnetconsulting.net> <vioqhn$mcr7$1@dont-email.me> <viquuk$l6k$1@tncsrv09.home.tnetconsulting.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Injection-Date: Thu, 05 Dec 2024 03:02:39 +0100 (CET) Injection-Info: dont-email.me; posting-host="b8ada25e4317f2ac3fdfff6f2c3be1a9"; logging-data="1291151"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+mO/nGQo37gC/KacT8PjJp" User-Agent: Pan/0.161 (Chasiv Yar; ) Cancel-Lock: sha1:qRBMQcOBQ5+LP+USuxnEdPKSBG0= Bytes: 2877 On Wed, 4 Dec 2024 19:17:08 -0600, Grant Taylor wrote: > On 12/3/24 23:49, Lawrence D'Oliveiro wrote: > >> That cert depends on the domain name. > > No, not quite. > > The domain name can be used to inform which cert the server should use, Which part of “depends on” are you having trouble with? > and that's EXACTLY what Server Name Indication (a.k.a. SNI) is. SNI is > part of TLS. Which cannot be sent encrypted over HTTP because HTTP encryption hasn’t been set up yet. > Also, consider protocols that don't send a Host: header (as HTTP does) > still using SNI to indicate which domain name is being connected to. They don’t do “virtual hosting”, where multiple domains share the same IP address, and is an important feature of HTTP. That’s why there is a specific problem with that. There are two rival specs for solving this: DNS-over-TLS, and DNS-over-HTTPS. DNS-over-TLS (DoT) is a separate protocol that can be identified as such by firewalls, while DNS-over-HTTPS (DoH) is essentially indistinguishable from any other HTTPS traffic. DoH has become quite controversial. On the one hand, corporates who want to control traffic on their networks for security reasons hate it. But on the other hand, it can be useful to bypass restrictions for those who live under certain authoritarian regimes. You can’t have it both ways. Mozilla decided to go for DoH, for which a British association of ISPs called them a “villain” <https://www.theregister.com/2019/07/10/ispa_clears_mozilla/>.