STARTTLS considered harmful

Posted Aug 19, 2021 21:35 UTC (Thu) by rodgerd (guest, #58896)
In reply to: STARTTLS considered harmful by miquels
Parent article: STARTTLS considered harmful

There are a lot of what-ifs. What if the MX priority record had been generalised so that other protocols baked failover in, doing away the pain of faking it with short TTLs and similar hackery.

to post comments

STARTTLS considered harmful

Posted Aug 19, 2021 23:00 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

There is more activity today in DNS because of DPRIVE and other work (which has the purpose of improving privacy, but the effect of reducing the impact of rusted-in-place "security" appliances) than we were seeing through say the 1990s or 2000s. SVCB and HTTPS records provide a much richer feature set than generalising MX, indeed the intention as I understand it is that HTTPS will contain enough information that your client can go from "I want https://clown-porn.example.com/" to a set of IPv4 or IPv6 addresses, TCP or UDP port numbers, keys to encrypt initial setup and a masking name like only-cats.example.com in a single DNS request so that it's then equipped to do an encrypted HTTP transaction to the URL you wanted, no further extra roundtrips.

The next generation happy eyeballs algorithms are trying to guess in advance whether to try say, IPv6 QUIC to server A or go with IPv4 TLS to server B or just do both and throw away whichever was slowest, learning from recent experience.