Synapse: Federation uses incorrect Host: header when SRV record is present

I'm failing to understand why this isn't a dup of #1491

Ooops, it indeed is. The comments of that issue mostly discussed SNI, and I failed to read the original post carefully.

This specific point was discussed in the context of dendrite today; the conclusion was that the current behaviour is actually correct.

Here are our reasons:

• SRV records are in some way analogous to CNAMEs; in the case of CNAMEs, we base the Host: header on the original host, not the CNAME target.
• DNS is insecure. Mallory could spoof a DNS response to Alice who's trying to contact Bob telling her to contact Mallory instead. if the SNI was based on the DNS response, Alice would then verify she's talking to Mallory, not Bob, leaving a gaping hole in the protocol.
  
  
  
  • We can draw a parallel with DANE, which has an RFC (7673) which happens to describe how to verify TLS when SRV is insecure and there's no TLSA records (i.e. DANE isn't being used) - which is our situation here. The recommendation is to verify the server_name part (the "source address") and not what the SRV record points to.)
  
  
• from a purely practical perspective, it seems easier to vhost based on the server name than the intermediate dns entry for whichever host the client happened to pick from the SRV records.

This decision is kind of security by obscurity. Use DNSSEC instead.