On Tue, Sep 16, 2014 at 4:46 PM, Yoav Nir <ynir.ietf@xxxxxxxxx> wrote:
On Sep 16, 2014, at 7:54 PM, Paul Wouters <paul@xxxxxxxxx> wrote:
>
> I would hope IETF would pick a CDN provides that does not require
> insecure CNAME redirection which breaks some of our IETF protocols
> (like DANE). Hopefully, they will address that soon.
Your browser has to get to the CDN server somehow. If not a CNAME, you’ll need to just let www.ietf.org resolve directly to that server. How is that better?
I think you missed the qualifier "insecure". The CNAME record is itself secure (i.e. DNSSEC signed), but the target of the CNAME is located in the unsigned Cloudflare zone. The subsequent address lookup of the target is thus not secure.
It's possible some aspects of DANE may still be secure. For example, as currently configured, only the name www.ietf.org is mapped into Cloudflare. So records like _443._tcp.www.ietf.org. TLSA (if it existed) could still be wholly inside the signed ietf.org zone.
I believe Jari Arrko mentioned at the last IETF that Cloudflare is working on deploying DNSSEC. It would be good to know if they have a specific or estimated timeline for that.
--Shumon.