ietf
[Top] [All Lists]

Re: IETF web site behind CloudFlare

2014-09-16 19:39:37
On Tue, Sep 16, 2014 at 4:46 PM, Yoav Nir 
<ynir(_dot_)ietf(_at_)gmail(_dot_)com> wrote:


On Sep 16, 2014, at 7:54 PM, Paul Wouters <paul(_at_)nohats(_dot_)ca> wrote:


I would hope IETF would pick a CDN provides that does not require
insecure CNAME redirection which breaks some of our IETF protocols
(like DANE). Hopefully, they will address that soon.

Your browser has to get to the CDN server somehow. If not a CNAME, you’ll
need to just let www.ietf.org resolve directly to that server. How is
that better?


I think you missed the qualifier "insecure". The CNAME record is itself
secure (i.e. DNSSEC signed), but the target of the CNAME is located in the
unsigned Cloudflare zone. The subsequent address lookup of the target is
thus not secure.

It's possible some aspects of DANE may still be secure. For example, as
currently configured, only the name www.ietf.org is mapped into Cloudflare.
So records like _443._tcp.www.ietf.org. TLSA (if it existed) could still be
wholly inside the signed ietf.org zone.

I believe Jari Arrko mentioned at the last IETF that Cloudflare is working
on deploying DNSSEC. It would be good to know if they have a specific or
estimated timeline for that.

--Shumon.