Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
ESNI, Encrypted Client Hello, DNS developments
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Niall O'Reilly via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 16 Dec 2020 20:15:39 +0000
Hi.
Work I was involved in to add ESNI support to libcurl
was suspended quite a number of months ago as the
IETF TLS WG decided on, and since specified, a different
approach. After dealing with some other distractions,
I expect to pick this up again soonish, but most likely
not before the new year.
Here is a summary of the new situation.
- ESNI is no longer an independent feature,
but an element of Encrypted Client Hello (ECHO);
- SVCB and HTTPS records have been introduced in the DNS
for binding (alternative sets of) service parameters
to a hostname;
- To support ECHO, an application will need to look
for SVCB or HTTPS RRs, not just A and AAAA RRs;
- POSIX getaddrinfo() only provides data from A and AAAA RRs,
so will no longer be adequate.
For those who are interested, here is a link to a presentation
explaining the SVCB and HTTPS resource records, which was
given at an interim virtual meeting of the RIPE DNS Working Group
early in October; it has only recently become available on the
RIPE website.
https://www.ripe.net/participate/ripe/wg/active-wg/dns/remote-sessions/svcb_https_-ripe-2020.pdf
Best regards,
Niall O’Reilly
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2020-12-16
Date: Wed, 16 Dec 2020 20:15:39 +0000
Hi.
Work I was involved in to add ESNI support to libcurl
was suspended quite a number of months ago as the
IETF TLS WG decided on, and since specified, a different
approach. After dealing with some other distractions,
I expect to pick this up again soonish, but most likely
not before the new year.
Here is a summary of the new situation.
- ESNI is no longer an independent feature,
but an element of Encrypted Client Hello (ECHO);
- SVCB and HTTPS records have been introduced in the DNS
for binding (alternative sets of) service parameters
to a hostname;
- To support ECHO, an application will need to look
for SVCB or HTTPS RRs, not just A and AAAA RRs;
- POSIX getaddrinfo() only provides data from A and AAAA RRs,
so will no longer be adequate.
For those who are interested, here is a link to a presentation
explaining the SVCB and HTTPS resource records, which was
given at an interim virtual meeting of the RIPE DNS Working Group
early in October; it has only recently become available on the
RIPE website.
https://www.ripe.net/participate/ripe/wg/active-wg/dns/remote-sessions/svcb_https_-ripe-2020.pdf
Best regards,
Niall O’Reilly
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2020-12-16