search

sftcd / wkesni

A well-known URI for publishing ESNIKeys
7 stars 2 forks source link

Cache mismatches #2

Closed ekr closed 3 months ago

ekr commented 2 years ago

As I was saying at the mic.

Consider the case where example.com is hosted on CDN A and CDN B, each of which has their own ECH keys.

The client resolves example.com which resolved to an IP associated with CDN A and gets an A record with a TTL of 20min(1200s) and gets the ECHConfigList with a TTL of 60 minutes (3600s).

30 minutes later, it tries to connect. It has to do a fresh A record lookup and gets an A record associated with CDN B. It pulls the ECHConfigList out of cache (which, recall, is associated with CDN A). It uses that key. When B tries to decrypt, it fails. This is unrecoverable because the public name will also be associated with B.

Lennie commented 11 months ago

(I'm just some idiot on the Internet (not talking for the company I work for))

Couldn't that be handled by some kind of include or alias ?

Random idea:

example.com file on CDN A has an include to CDN B: example-com.cdn-b.com

And vice versa:

example.com file on CDN B has an include to CDN A: example-com.cdn-a.com

Then publish both in DNS.

Still still allows one 1 DNS-query and only the tool who is putting it in DNS needs to connect the multiple locations.

bemasc commented 11 months ago

I believe the draft's answer to this is in Section 5: "Origins can indicate that multiple CDNs are in use, each with its own ECHConfig.". In other words: if an origin is doing multi-CDN, it can't let either CDN populate its .well-known/origin-svcb on its own. Instead, the origin need some kind of cron job that copies the configs from all CDNs and concatenates/transforms them.

I think we probably need more text about who is allowed to generate origin-svcb and under what conditions. Is it safe for a CDN to insert its own origin-svcb file if the backend returns 404?

richsalz commented 3 months ago

I think the simplest thing to do is say that only the "true" origin can should use the WK svcb field and that the ZF should make sure it is fetching from the right place. Thoughts?

bemasc commented 3 months ago

Something like "HTTP gateways MUST NOT inject or modify the origin's .well-known/origin-svcb resource".

richsalz commented 3 months ago

Wrote a paragraph, see #30