Re: [Add] Fwd: New Version Notification for draft-schwartz-svcb-dns-00.txt
Steffen Nurpmeso <steffen@sdaoden.eu> Wed, 05 August 2020 14:36 UTC
Return-Path: <steffen@sdaoden.eu>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 097F53A0A09 for <add@ietfa.amsl.com>; Wed, 5 Aug 2020 07:36:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r4PDW1-SbO9u for <add@ietfa.amsl.com>; Wed, 5 Aug 2020 07:36:09 -0700 (PDT)
Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E876B3A0A29 for <add@ietf.org>; Wed, 5 Aug 2020 07:36:08 -0700 (PDT)
Received: by sdaoden.eu (Postfix, from userid 1000) id 615CD16058; Wed, 5 Aug 2020 16:36:06 +0200 (CEST)
Date: Wed, 05 Aug 2020 16:36:04 +0200
From: Steffen Nurpmeso <steffen@sdaoden.eu>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: ADD Mailing list <add@ietf.org>, Steffen Nurpmeso <steffen@sdaoden.eu>
Message-ID: <20200805143604.h2FWD%steffen@sdaoden.eu>
In-Reply-To: <CAHbrMsDtFNDB5TDz=HNejVi_RMbq_8Q6=o6iW_gyDr=ggZjyNA@mail.gmail.com>
References: <159656272783.7072.6229544475907348131@ietfa.amsl.com> <CAHbrMsDtFNDB5TDz=HNejVi_RMbq_8Q6=o6iW_gyDr=ggZjyNA@mail.gmail.com>
Mail-Followup-To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>, Steffen Nurpmeso <steffen@sdaoden.eu>
User-Agent: s-nail v14.9.19-99-g19301483-dirty
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs.
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/qYD3ab7grUNl7KvNut--Ni-6LXw>
Subject: Re: [Add] Fwd: New Version Notification for draft-schwartz-svcb-dns-00.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2020 14:36:11 -0000
[dropping the DNS only lists i am not subscribed to] Ben Schwartz wrote in <CAHbrMsDtFNDB5TDz=HNejVi_RMbq_8Q6=o6iW_gyDr=ggZjyNA@mail.gmail.com>: |Hi ADD and DPRIVE, | |I've noticed three recent drafts that propose to use the SVCB format: |draft-mglt-add-rdp, draft-tapril-ns2, and |draft-pauly-add-resolver-discovery. These drafts, across multiple I do not want to be counterproductive, having read only one of those drafts, and having read all of DNS except for zone transfer related RFCs >15 years ago in order to create a caching stub resolver, but i "like" DNS, and am fascinated of this protocol that is in use for such a long time, and still scales and is omnipresent. -Today- Yesterday i have reread RFC 6763 and RFC 2782 and really like all of it. Is there a "benefit in changing established practice". I never liked IDNA, i would have imposed a policy to rise the length limit by then, using UTF-8 (or UTF-7, maybe, as still in IMAP, though not have read the draft of v2 yet) and as of today i would presume all in-use name servers could serve those requests, aka even long domain names could be assigned all over the world. Its version 2 introduced the incompatibilities that ought to be avoided. I personally do not see an improvement in introducing yet another RR in order to support this. Maybe i should look in bind code or so and test whether it would be harder to return the favoured or desired set of RR combinations for a RR type or a question for a specific SRV. But even a clause that says "if that RR is provided HTTPS transport is a MUST" does not justify that for me. I.e., you could ask for "dnss://" and get A/AAAA for http[123]:// in combination also. Of course SVCB is more explicit. But o Address a set of long-standing issues due to HTTP(S) clients not implementing support for SRV records, as well as due to a limitation that a DNS name can not have both CNAME and NS RRs (as is the case for zone apex names)) draft-jennings-http-srv never made it. _https._tcp is no option therefore as of today. I really had to read the possibly one year plus IETF discussion history on why this did not make it. But i think the above is unfair, it misses the context. I could imagine they did not implement it because it is still unnecessary as of today in practice, there is /etc/service or an equivalent, and since port numbers are part of the standards the answer you get by getservbyname(3) aka getservent(3), as of today, is sufficient. It comes from BSD 4.3 or even BSD 4.2 (commit by Kirk McKusick dating 1985-05-15 says "manual page first distributed with 4.2BSD", "+.TH GETSERVENT 3N "9 February 1983", i did not look for code). And, wow!, this is not far from 40 years! And it still serves. Also, HTTP is often accompanied with hypertext aka HTML++, where URLs are a vivid part, so that special needs for port numbers etc. can simply be fed into the machinery via href= etc. etc. And i think almost everybody who uses the web ("normal users") for some time "has already seen" port numbers 80, 8080, and increasingly 443 "sometime". But especially the former two. So i do not get your thing above at all. If, with IPv6 and the IoT, the above does no longer SRV, then what is missing to SRV, port etc it can all carry along. o Provide an HSTS-like indication signaling for the duration of the DNS RR TTL that the HTTPS scheme should be used instead of HTTP (see Section 7.6). I mean that can very well be bundled with anything that needs to be implemented anew. But sure, non-S is leaving. ... 1. Issue parallel AAAA/A and SVCB queries for the name HOST. Maybe just another reason why this is not yet implemented widely for such omnipresent things like HTTP. But noone cares no more about increasing packet sizes etc., so "just bundling" and getting more in return without additional roundtrips is surely a nice thing, EDNS is also 20 years or more. Just like OCSP stapling etc., it is just increasingly used (one more thing _i_ have to do), whereas just a few years ago the additional cost of OCSP was the reason it was not implemented in a widely used OSS HTTP server (i use myself). The draft also talks about "anticipating protocols", therefore envisions simply replacing the established SRV with this new RR. You know, i do not like TXT, being explicit is better, but then again the TXT answers are standardized, so i guess that is ok. It surely can serve another defined format for SRV. ... For a different draft, i like the X.509 constraint option for the "MUD" way of RFC 8520, to resolve the "refrigerator" hang of mine. From a user point of view i like the idea that all devices identify themselves "cryptographically save". Even if all light bulbs pass the very same client certificate along. I could imagine they contact my DHCP/DTLS server, and if i ok the certificate further connections are allowed to invoke a dhcpcd hook here, for example. If the constraints are so that really nothing more than an URL can be passed along, initiating "MUD" via DHCP hook i can imagine. Hard to believe the industry wants to flood the world with tiny devices which cannot do D?TLS handshakes aka present at least a X509 certificate. Here i personally would be fine with just using a subjectAltName addition or a defined nsComment content, these are available for a long time. I only wanted to add this. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
- [Add] Fwd: New Version Notification for draft-sch… Ben Schwartz
- Re: [Add] New Version Notification for draft-schw… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… Steffen Nurpmeso
- Re: [Add] Fwd: New Version Notification for draft… Steffen Nurpmeso
- Re: [Add] Fwd: New Version Notification for draft… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… Steffen Nurpmeso
- Re: [Add] New Version Notification for draft-schw… Eric Orth
- Re: [Add] New Version Notification for draft-schw… Ben Schwartz
- [Add] DNS URI scheme (was SVCB for DNS) Martin Thomson
- Re: [Add] New Version Notification for draft-schw… Eric Orth
- Re: [Add] DNS URI scheme (was SVCB for DNS) Ben Schwartz
- Re: [Add] New Version Notification for draft-schw… Ben Schwartz
- Re: [Add] DNS URI scheme (was SVCB for DNS) Tommy Pauly
- Re: [Add] DNS URI scheme (was SVCB for DNS) Eric Orth
- Re: [Add] DNS URI scheme (was SVCB for DNS) Ted Hardie
- Re: [Add] DNS URI scheme (was SVCB for DNS) Martin Thomson
- Re: [Add] DNS URI scheme (was SVCB for DNS) Ted Hardie
- Re: [Add] DNS URI scheme (was SVCB for DNS) Christian Huitema
- Re: [Add] DNS URI scheme (was SVCB for DNS) Ted Hardie