Skip to content

Instantly share code, notes, and snippets.

@kazuho

kazuho/index.md

Last active December 29, 2019 13:24
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kazuho/9ed242e99598361cecd554518033ab14 to your computer and use it in GitHub Desktop.
Save kazuho/9ed242e99598361cecd554518033ab14 to your computer and use it in GitHub Desktop.
Download ZIP
Why you need a prefix for ESNI
Raw
index.md

Why you need a prefix for ESNI

Background

Some CDNs allow their customers to bring in their own DNS. Some do not provide DNS service at all, requiring every customer to bring in their own DNS.

The customer's DNS will have a zone definition like the following:

example.com. IN NS   ns1.example.com.
example.com. IN NS   ns2.example.com.
example.com. IN A    192.0.2.1         # CDN's IP address

The NS records point to the authoritative servers run by the customer (or to the DNS service provider that the customer uses).

The A record designates the IP address of the CDN. CNAME cannot be used here, because example.com is an APEX record. The reason behind the prohibition is that CNAME is not type-specific; setting a CNAME for example.com will incorrectly delegate the NS records to the CDN's DNS server as well.

The prerequisite of this type of configuration is that the CDN's IP address is a constant regardless of time / location of the client. That is why this approach is typcially found in CDNs that use BGP to route the requests.

ESNI without prefix

We want to add ESNI record to the list.

Assuming that no prefix will be used, the zone file will look like below.

example.com. IN NS   ns1.example.com.
example.com. IN NS   ns2.example.com.
example.com. IN A    192.0.2.1         # CDN's IP address
example.com. IN ESNI ...               # CDN's ESNI record

For the reasons described, the ESNI record cannot be delegated to the CDN's DNS server. However, unlike A records, ESNI records cannot be a constant. It contains a public key that needs to be rotated.

Customers will be requested to update the ESNI record every time the CDN rotates the key.

This is not only an operational burden, but also significantly raises the keys being published and keys being accepted becoming out-of-sync.

ESNI with prefix

The issue can be resolved by adding a prefix.

In the example below, the ESNI key for example.com is published as _esni.example.com.

example.com.       IN NS    ns1.example.com.
example.com.       IN NS    ns2.example.com.
example.com.       IN A     192.0.2.1            # CDN's IP address
_esni.example.com. IN CNAME _esni.mycdn.example  # CNAME to CDN's ESNI record

Since _esni.example.com is not an APEX record, the label can be delegated to the CDN's DNS server, regardless of the Resource Record type.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment