On 07/07/16 02:07, Alex Rousskov wrote:
Q1. Is wildcard SNI "legal/valid"? I do not know the answer to that question. The "*.example.com" name is certainly legal in many DNS contexts. RFC 6066 requires HostName SNI to be a "fully qualified domain name", but I failed to find a strict-enough RFC definition of an FQDN that would either accept or reject wildcards as FQDNs. I would not be surprised if FQDN syntax is not defined to the level that would allow one to reject wildcards as FQDNs based on syntax alone.
Wildcards can be specified in DNS zonefiles, but I don't think you can ever look them up directly (rather, you look up "something.example.com" and the DNS server itself decides to use the wildcard record to fulfil that request - you never look up *.example.com itself).
Q2. Can wildcard SNI "make sense" in some cases? Yes, of course. The client essentially says "I am trying to connect to _any_ example.com subdomain at this IP:port address. If you have any service like that, please connect me". That would work fine in deployment contexts where several servers with different names provide essentially the same service and the central "routing point" would pick the "best" service to use. I am not saying it is a good idea to use wildcard SNIs, but I can see them "making sense" in some cases.
Realistically, shouldn't the SNI reflect the DNS request that was made to find the IP of the server you're connecting to? You would never make a DNS request for '*.example.com' so I don't see a reason why you would send an SNI that has a larger scope than the DNS request you made.
-- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:steve@xxxxxxxxxxxx Email: steve@xxxxxxxxxxxx Phone: sip:steve@xxxxxxxxxxxx Sales / enquiries contacts: Email: sales@xxxxxxxxxxxx Phone: +44-1792-824568 / sip:sales@xxxxxxxxxxxx Support contacts: Email: support@xxxxxxxxxxxx Phone: +44-1792-825748 / sip:support@xxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users