IETF Logo Mail Archive

Re: [Add] questions about the Examples section of svcb-dns-02

Peter van Dijk <peter.van.dijk@powerdns.com> Fri, 09 April 2021 16:37 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E14D3A26E4 for <add@ietfa.amsl.com>; Fri, 9 Apr 2021 09:37:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LV0je6CuSMsm for <add@ietfa.amsl.com>; Fri, 9 Apr 2021 09:37:41 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E54993A0CE3 for <add@ietf.org>; Fri, 9 Apr 2021 09:37:38 -0700 (PDT)
Received: from imap.open-xchange.com (imap.open-xchange.com [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id B82776A013; Fri, 9 Apr 2021 18:37:33 +0200 (CEST)
Received: from plato ([84.81.54.175]) by imap.open-xchange.com with ESMTPSA id k16OK82CcGCGEAAA3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Fri, 09 Apr 2021 18:37:33 +0200
Message-ID: <64619ceb5be566f5498e2342b96334a250a4d210.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: ADD Mailing list <add@ietf.org>
Date: Fri, 09 Apr 2021 18:37:33 +0200
In-Reply-To: <CAHbrMsAo2vufYA4dTLXYC1pAUpEVMmRw70iZzfbK6ydtvWSVzw@mail.gmail.com>
References: <4613b8d0773d1ae5f806347bbce909fa74439886.camel@powerdns.com> <CAHbrMsCM3pwu7zYVhVzCMKB37_gSMyb6KY3je3NVYQBAwt6kNg@mail.gmail.com> <dc371c7284d3c05d07cf0a550b37f9a624d968c9.camel@powerdns.com> <ba952ca3-b6fe-be9a-8829-a926cb32e148@shaw.ca> <CAHbrMsAN0PkC-yUdWR6HhkrX-JJ3cCwvgGBJRD2EXLYRjbQVEw@mail.gmail.com> <a18e11d6a62b78c8f2b07940dd8e68acede3cac8.camel@powerdns.com> <CABcZeBNzULgbQfV_1wj+se5KWT5joS5c3dbLhft6SvR2SwK79w@mail.gmail.com> <CAHbrMsAo2vufYA4dTLXYC1pAUpEVMmRw70iZzfbK6ydtvWSVzw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/KUbOC6y39Cs-pVc6Te7gHo3thG0>
Subject: Re: [Add] questions about the Examples section of svcb-dns-02
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 16:37:46 -0000

Hi Ben,

On Fri, 2021-04-09 at 10:50 -0400, Ben Schwartz wrote:
> On Fri, Apr 9, 2021 at 9:16 AM Eric Rescorla <ekr@rtfm.com> wrote:
> > On Fri, Apr 9, 2021 at 12:37 AM Peter van Dijk <peter.van.dijk@powerdns.com> wrote:
> > 
> ... 
> > > I think this one hits the core of the problem for me. I'm not confused
> > > about what -empty- SvcParams mean. I am (well, I was) confused by
> > > alpn=h2,h3 meaning alpn=dot,h2,h3.
> > 
> > I agree. Merging default with provided is a surprising behavior. If there is a provided ALPN it should replace the default.
> > 
> 
> This behavior was chosen for SVCB primarily due to concerns about 'alpn=h3' in the HTTPS context.  Without the merge-default behavior, 'alpn=h3' would (in some cases) result in clients failing the connection if QUIC is blocked, and not falling back to TCP (because no TCP-compatible ALPN is advertised).  Some participants viewed this as a serious "footgun", because H3-only configurations will generally appear to work in testing but result in an outage when deployed, and other participants felt it was important to support H3-only endpoints, so we attempted to make it hard to do this by accident (but still possible if you really want).

Somebody said to me 'but it is exactly like in HTTPS' - my response was
'it would be if the default alpn was do53, not dot'.

> SVCB is in WGLC in DNSOP, so if you think this compromise is not reasonable, we should probably discuss it there.

Making it hard to accidentally drop https/1.1 makes sense to me, so the
compromise is reasonable.

Making it easy to accidentally include dot does not make sense to me,
so the compromise is not reasonable (as long as the default alpn is
dot).

> > > So I wonder if having a default, but alpn= always *replacing* that
> > > default instead of appending to it, might make more sense. It certainly
> > > feels clearer to me.
> 
> The interpretation of "alpn" and "no-default-alpn" is currently specified to be protocol-independent in SVCB.  We could override this in the DNS mapping (e.g. "for DNS, no-default-alpn is not used, and the ALPN is 'dot' if the alpn key is absent").  Making use of this key subtly different in each mapping makes me sad, and might make it harder to share code for handling the ALPN set, but it is possible.

I also don't like making the -logic- protocol dependent, and agree we
should avoid that when possible.

> Setting "dot" as the default ALPN seems logical to me.  However, I think it would also be reasonable to say that there is no default ALPN, because DoT is not a well-established default for encrypted DNS, in the way that HTTP/1.1 over TLS is for HTTPS.

Yes! This is exactly the insight I had in an offline conversation.
These protocols are not in the same class for their respective
purposes.

So, if we say there is no default alpn, then 


SVCB 1 @ alpn=h2,h3 dohpath=/dns-query{?dns}

means DoH, full stop. To mean what it used to mean, it would have to
say alpn=h2,h3,dot.


SVCB 2 @ port=8530

is invalid and would need alpn=dot.


SVCB 3 fooexp ( port=5353 alpn=foo no-default-alpn foo-info=... )

means what it did, with a useless no-default-alpn stanza.


I like this. Making the default alpn empty solves the confusion for
svcb-dns without affecting the https use case.

(If we go this way, it may make sense to put a few words in the parent
draft on choosing a default alpn, including the option of picking
'none', for protocols that use SVCB. I'm happy to try and write
something for that if you like.)

> > > In terms of packet size, some records may spend four more bytes on
> > > 'dot,' because they do combine it with DoH in one SVCB record. Other
> > > records will spend a few bytes less on not needing no-default-alpn. I
> > > don't know how this balances out in the end.
> 
> I expect that most encrypted DNS servers will implement DoT, especially in ADoT contexts where size is a concern, so I think the record size question will favor the current model.  However, I don't think this is a major concern.

I expect that most encrypted DNS *services* will implement DoT; I have
a harder time predicting whether they will do so on the same IPs/names
that serve DoH, DoQ, 'fooexp'. That said, I also don't consider the
size difference between defaultalpn=dot and defaultalpn='' to be a
major concern.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

v2.23.0 | Report a Bug | By Email