Is ESNI actually happening somehow? Wasn't it only for some big CDNs or something due to its architecture?
Conversation
ESNI was replaced by Encrypted Client Hello (ECH). It relies on the new HTTPS record type which isn't broadly supported yet. It shouldn't end up being that hard to deploy but software largely doesn't support it yet. It's still somewhat useful even without a shared server IP.
2
1
My solution in this space of "my browser works properly with walled garden services" also solves for, in some cases, non-walled services, wherein the same endpoint that handles the acme challenge forwarding also has a path the drops out to splice(2) after initial routing
1
It's this spliced part that I think will be most affected, but I'm also not yet sure (haven't read enough, which is most of why I'm afraid it'll make a mess), if it's also going to make the acme dance indirection harder
1
The subtle part here that I quite like is that my tls middlebox actually _cant_ decrypt the traffic it routes
2
I expect nginx.org/en/docs/stream will support ECH. The load balancer will be where ECH terminates but not TLS. I don't think that's a problem because I think the way it works is there's a separate key for ECH with the public key in the HTTPS record. I can't remember all details.
1
Nothing really seems to implement ECH yet and the only place that I've seen explicit HTTPS record support is Cloudflare's DNS. At this point, it's not really something that's actually available for use unless you implement it yourself. It definitely won't be commonly used anyway.
1
Yeah, and I'm torn because I think it's a healthy feature for the ecosystem but I'll have to type more than a 30 loc record parser to implement it 🤣
1
Turns out ldns (drill) does actually support HTTPS records in the development branch but the last stable release was in 2019.
PowerDNS has support for it too but it hasn't been added to all the documentation yet.
doc.powerdns.com/authoritative/
I don't get why ipv4hint/ipv6hint exist.
1
Main purpose of it is to declare HTTP/3 support for the first connection and the ECH key.
It also acts like HSTS which I guess could be useful for clients without the Chromium HSTS preload list which do have DNSSEC + HTTPS record support, or for fresh domains not preloaded yet.
1
1
github.com/GrapheneOS/ns1
Decided to add them since they get regularly requested due to Apple clients using it.
ECH uses ech=public_keys in there but even OpenSSL/BoringSSL don't support it, let alone nginx and other applications having support for it.
