Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-dnsop-svcb-https-12> for your review
Erik Nygren <nygren@gmail.com> Tue, 10 October 2023 21:14 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4A0BC14F73F; Tue, 10 Oct 2023 14:14:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uhgRv_I3O7a2; Tue, 10 Oct 2023 14:14:12 -0700 (PDT)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7777C151079; Tue, 10 Oct 2023 14:14:11 -0700 (PDT)
Received: by mail-wr1-x432.google.com with SMTP id ffacd0b85a97d-3215f19a13aso6073030f8f.3; Tue, 10 Oct 2023 14:14:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696972449; x=1697577249; darn=rfc-editor.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=T4GKHfbcjWrq+zlX7lVuw6+MjUIotCPS+II7lpVoqhM=; b=VjeZbPHVEOPyrfBClEKDyQRBlb9Jt8Y9prWGY4H3HWt9s6/tJk10RyitoXzAVtYtvM gd8FWAEgnwuSosySCSoR3r9A+t8nsTqrnndWokr4v9vuu7T4QkRFYJyLot/kyYumZWuo /vQiJlk8PRIowAXdWMiN1+6aYwti+bSAPcY+QQko8Djv4VZbW89GKxRVOXdnhIpNEoQ/ pCaj5VDkjSMhLl+H4i/Z2p1Tj37Yy35NYIoo0wmi9TvITfFC/riiMTKcUxrXMHGBnsBl 3THgMhqRpL3J/kkdUfzalLKo0PhR5EJckZF6tvLpT81KMRHCNLXcwtSwrFeFpvROhGL0 Z63g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696972449; x=1697577249; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=T4GKHfbcjWrq+zlX7lVuw6+MjUIotCPS+II7lpVoqhM=; b=iSoFJuIU85hv/cf+SvwsmOatBMjY03PtzjOPBUWI+zOiMyN7VDWePUwcgWxb249NqM USDpwO2kHhbBQrgJDqHo3g3E6BzOaq7Mcfi7zPhoNJF/WL4SoBMP/A4yEA1IpheZJUMA GrYFjGO+0QTx3uNxL1RPbMz7TBtJoLF6y/6xw9uICeWq+Owg2qoMJMxx3+XVK2BzIjyK wt3RfsfOQQI1KX+TopqzXJpy0fAsFEjKMsz23Ox/DkS3sq7cpcEshKzIViC9iLAYsYta 74ZKYb0Wc6WqYMvtg8xkCPU1KSKkTJDDA0dsFDhXi9YPs+ac+5BIFQKKzgATXfQ3XpsZ QnNQ==
X-Gm-Message-State: AOJu0Yy7OhCVpsJpDBGWkbNCx763fba3bXrxsWK8qkkuaT28ozMq8t7w nZ+DwJFha4m3UhJSHwqJAtyljy2LCBkI96y/qDo=
X-Google-Smtp-Source: AGHT+IHCyOXtREI3Wzjf5uJvMnEX2IjfWrVcU4uXhvQPR5hAfxN/Jv0DtqEekuBUIGFvvbE88AA0KrPBrmFJuB3RHng=
X-Received: by 2002:a5d:4802:0:b0:324:7a6b:d4fe with SMTP id l2-20020a5d4802000000b003247a6bd4femr18157790wrq.9.1696972448673; Tue, 10 Oct 2023 14:14:08 -0700 (PDT)
MIME-Version: 1.0
References: <20230909024843.23314E5EA7@rfcpa.amsl.com> <PH0PR22MB3102689F598B65A0549D2027DAF9A@PH0PR22MB3102.namprd22.prod.outlook.com> <E9C199B0-4A37-4D3E-862B-70C7ED633E9B@amsl.com> <PH0PR22MB3102283BB824AF4DB536E323DAC3A@PH0PR22MB3102.namprd22.prod.outlook.com> <0C007762-281B-4ED3-9962-0CC14A97C8BF@amsl.com> <PH0PR22MB310273423E2E6F9C345A282BDAC0A@PH0PR22MB3102.namprd22.prod.outlook.com> <253A4E3B-EECB-408F-8785-668E0C197C78@amsl.com> <DM6PR15MB3292FE8BD4FD2C6E39DFC5D4B3CBA@DM6PR15MB3292.namprd15.prod.outlook.com> <CAKC-DJgSLmE0p9Z5ixG3qAiRUY2dKy4pVaKkR0-fXF3q+ZdhqQ@mail.gmail.com> <5463F24A-F1B4-4F24-B658-DDAA5F2BBF3D@amsl.com> <PH0PR22MB310217B61940C8B9D9DFFBB1DAC9A@PH0PR22MB3102.namprd22.prod.outlook.com>
In-Reply-To: <PH0PR22MB310217B61940C8B9D9DFFBB1DAC9A@PH0PR22MB3102.namprd22.prod.outlook.com>
From: Erik Nygren <nygren@gmail.com>
Date: Tue, 10 Oct 2023 17:13:56 -0400
Message-ID: <CAKC-DJhtLjEBi0t8nFfYn7yXi6CQVDdTRrPWPTt_AWCBMTBQZQ@mail.gmail.com>
To: Mike Bishop <mbishop@evequefou.be>
Cc: Lynne Bartholomew <lbartholomew@amsl.com>, Ben Schwartz <bemasc@meta.com>, "ietf@bemasc.net" <ietf@bemasc.net>, "rfc-editor@rfc-editor.org" <rfc-editor@rfc-editor.org>, "dnsop-ads@ietf.org" <dnsop-ads@ietf.org>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "tjw.ietf@gmail.com" <tjw.ietf@gmail.com>, "auth48archive@rfc-editor.org" <auth48archive@rfc-editor.org>, Erik Nygren <erik+ietf@nygren.org>
Content-Type: multipart/alternative; boundary="000000000000ff36d00607632f78"
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/UpwvreUpbX4Xe2wMOL4jC5T1c3M>
X-Mailman-Approved-At: Fri, 13 Oct 2023 10:43:03 -0700
Subject: Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-dnsop-svcb-https-12> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2023 21:14:17 -0000
I took a final reading pass through and the only thing that jumped out would be to change this: - "," and "\" characters instead of implementing the <tt>value-list</tt> escaping + "," and "\" characters in ALPN IDs instead of implementing the <tt>value-list</tt> escaping The current text is ambiguous as to whether those characters are prohibited in ALPN IDs or prohibited in value-list. It is clear that the intent is for them to only be prohibited in ALPN IDs so that value-list can contain commas, but inserting the "in ALPN IDs" would reduce risk of misreading. Everything else looks good. I believe Mike and Ben are making similar read-throughs. Thanks, Erik On Fri, Oct 6, 2023 at 4:30 PM Mike Bishop <mbishop@evequefou.be> wrote: > Ben proposed this text on GitHub: > > In this document, this algorithm is referred to as "character-string > decoding", because > <xref target="RFC1035" sectionFormat="of" section="5.1"/> uses this > algorithm to produce a <tt><character-string></tt>. > > (And a corresponding "the allowed input" => "some allowed inputs".) > > The attached XML incorporates this proposal, if that works for everyone. > > -----Original Message----- > From: Lynne Bartholomew <lbartholomew@amsl.com> > Sent: Thursday, October 5, 2023 12:32 PM > To: Erik Nygren <erik+ietf@nygren.org>; Ben Schwartz <bemasc@meta.com> > Cc: Mike Bishop <mbishop@evequefou.be>; ietf@bemasc.net; > rfc-editor@rfc-editor.org; dnsop-ads@ietf.org; dnsop-chairs@ietf.org; > tjw.ietf@gmail.com; auth48archive@rfc-editor.org > Subject: Re: AUTH48: RFC-to-be 9460 <draft-ietf-dnsop-svcb-https-12> for > your review > > Hi, Erik and Ben. > > Erik, thank you for the suggestion. Ben, is Erik's suggestion acceptable, > and may we update accordingly? > > Thank you! > > RFC Editor/lb > > > On Oct 5, 2023, at 6:12 AM, Erik Nygren <erik+ietf@nygren.org> wrote: > > > > What about "described in" (instead of just "in" or "per") ? > > So: > > > > -it is used to produce a <tt><character-string></tt> in > > +it is used to produce the <tt><character-string></tt> described in > > > > ? > > > > On Wed, Oct 4, 2023 at 11:58 AM Ben Schwartz <bemasc@meta.com> wrote: > > Re: "We made the additional update (changed "in" to "per") per your note > for 1) below." > > > > I think we need to give that section another look. I believe that "per" > may not be correct here. > > > > --Ben Schwartz > > > > From: Lynne Bartholomew <lbartholomew@amsl.com> > > Sent: Tuesday, October 3, 2023 12:29 PM > > To: Mike Bishop <mbishop@evequefou.be> > > Cc: ietf@bemasc.net <ietf@bemasc.net>; erik+ietf@nygren.org < > erik+ietf@nygren.org>; rfc-editor@rfc-editor.org < > rfc-editor@rfc-editor.org>; dnsop-ads@ietf.org <dnsop-ads@ietf.org>; > dnsop-chairs@ietf.org <dnsop-chairs@ietf.org>; tjw.ietf@gmail.com < > tjw.ietf@gmail.com>; auth48archive@rfc-editor.org < > auth48archive@rfc-editor.org> > > Subject: Re: AUTH48: RFC-to-be 9460 <draft-ietf-dnsop-svcb-https-12> for > your review > !-------------------------------------------------------------------| > > This Message Is From an External Sender > > > > |-------------------------------------------------------------------! > > > > Hi, Mike. > > > > Thank you for the latest updated XML file! > > > > We made the additional update (changed "in" to "per") per your note for > 1) below. > > > > FYI that the new line breaks in the list in Section 1.2 constitute a bug > (https://github.com/ietf-tools/xml2rfc/issues/1045). We hope that this > issue will be resolved soon. > > > > The latest files are posted here (please refresh your browser): > > > > https://www.rfc-editor.org/authors/rfc9460.txt > > https://www.rfc-editor.org/authors/rfc9460.pdf > > https://www.rfc-editor.org/authors/rfc9460.html > > https://www.rfc-editor.org/authors/rfc9460.xml > > https://www.rfc-editor.org/authors/rfc9460-diff.html > > https://www.rfc-editor.org/authors/rfc9460-rfcdiff.html > > https://www.rfc-editor.org/authors/rfc9460-auth48diff.html > > https://www.rfc-editor.org/authors/rfc9460-lastdiff.html > > https://www.rfc-editor.org/authors/rfc9460-lastrfcdiff.html > > > > https://www.rfc-editor.org/authors/rfc9460-xmldiff1.html > > https://www.rfc-editor.org/authors/rfc9460-xmldiff2.html > > https://www.rfc-editor.org/authors/rfc9460-alt-diff.html > > > > Thanks again! > > > > RFC Editor/lb > > > > > On Sep 29, 2023, at 11:52 AM, Mike Bishop <mbishop@evequefou.be> > wrote: > > > > > > 1) This is fine. > > > > > > 2) All reasonable, but we'd prefer to avoid nested parentheses. In > the attached, we've changed this to "supported protocols" in 3.2 and moved > the expansion back to 7.1. > > > > > > We also noted in reviewing the change to the title of Figure 1 that > this URL was not quoted, so we've added those. > > > > > > -----Original Message----- > > > From: Lynne Bartholomew <lbartholomew@amsl.com> > > > Sent: Thursday, September 28, 2023 11:48 AM > > > To: Mike Bishop <mbishop@evequefou.be> > > > Cc: ietf@bemasc.net; erik+ietf@nygren.org; rfc-editor@rfc-editor.org; > dnsop-ads@ietf.org; dnsop-chairs@ietf.org; tjw.ietf@gmail.com; > auth48archive@rfc-editor.org > > > Subject: Re: AUTH48: RFC-to-be 9460 <draft-ietf-dnsop-svcb-https-12> > for your review > > > > > > Hi, Mike. > > > > > > Thank you very much for the updated XML file! > > > > > > Thanks also for the detailed list of updates after your "late-arriving > review from the DNS Directorate" note; your note informed us that we would > not need to ask for AD approval for any of those updates; very helpful and > much appreciated! > > > > > > A couple follow-up items for you: > > > > > > 1) "used to produce a <character-string> in Section 5.1 of [RFC1035]" > reads a bit oddly. May we change it to "used to produce a > <character-string> per Section 5.1 of [RFC1035]"? > > > > > > 2) Please note that per our style guidelines we made the following > updates to your copy: > > > > > > * Moved the expansion of "ALPN" from Section 7.1 to Section 3.2. > > > * Changed "Section 2.4.2 and Section 3" to "Sections 2.4.2 and 3" in > Section 9.1. > > > * Changed "At" to "at" in the title of Figure 1. > > > > > > The latest files are posted here: > > > > > > https://www.rfc-editor.org/authors/rfc9460.txt > > > https://www.rfc-editor.org/authors/rfc9460.pdf > > > https://www.rfc-editor.org/authors/rfc9460.html > > > https://www.rfc-editor.org/authors/rfc9460.xml > > > https://www.rfc-editor.org/authors/rfc9460-diff.html > > > https://www.rfc-editor.org/authors/rfc9460-rfcdiff.html > > > https://www.rfc-editor.org/authors/rfc9460-auth48diff.html > > > https://www.rfc-editor.org/authors/rfc9460-lastdiff.html > > > https://www.rfc-editor.org/authors/rfc9460-lastrfcdiff.html > > > > > > https://www.rfc-editor.org/authors/rfc9460-xmldiff1.html > > > https://www.rfc-editor.org/authors/rfc9460-xmldiff2.html > > > https://www.rfc-editor.org/authors/rfc9460-alt-diff.html > > > > > > Again, many thanks for your help with this document! > > > > > > RFC Editor/lb > > > > > > > > >> On Sep 26, 2023, at 11:40 AM, Mike Bishop <mbishop@evequefou.be> > wrote: > > >> > > >> Hi, Lynne - > > >> Please see attached an updated XML from our side, with the following > changes in response to your questions. > > >> > > >> • We expanded "RR" in the document title. Please let us know any > objections. > > >> We have adjusted the title to expand the initialism while avoiding > nested parentheses. > > >> Original: > > >> Service Binding and Parameter Specification via the DNS (DNS SVCB and > > >> HTTPS Resource Records (RRs)) > > >> Current: > > >> Service Binding and Parameter Specification via the DNS (SVCB and > > >> HTTPS Resource Records) > > >> > > >> > > >> 2. Please insert any keywords… > > >> We have added various relevant keywords. > > >> > > >> > > >> 3. Datatracker "idnits" output for the original > approved document included the following warning … There are 2 instances of > lines with non-RFC2606-compliant FQDNs > > >> These instances are false positives. > > >> > > >> > > >> 4. Section 1.1: We changed this section title, as it > did not match the contents of the section. If this update is incorrect, > perhaps some text is missing? If so, please clarify "goal" vs. "goals". > > >> We have accepted the new section title, and also corrected an > obsolete reference to statements that were previously “mentioned above” but > now appear later in the document. > > >> Original: > > >> (As mentioned above, this all > > >> applies equally to the HTTPS RR, which shares the same encoding, > > >> format, and high-level semantics.) > > >> Current: > > >> (As discussed in <xref target="svcb-compatible"/>, this all applies > > >> equally to the HTTPS RR, which shares the same encoding, format, and > > >> high-level semantics.) > > >> > > >> > > >> 5. Please review the "type" attribute of each > sourcecode element… > > >> We have added types and converted “artwork” tags to “sourcecode” as > appropriate. > > >> > > >> > > >> 6. Section 2.4.2: As it appears that "multiple" means > "multiple RRs" (as opposed to "multiple RRSets"), we updated this sentence > accordingly. If this is incorrect, please provide clarifying text. > > >> We have adjusted this to “multiple AliasMode RRs”. > > >> > > >> > > >> 7. Section 4.2: Is resolution of unknown RR types the > only type of normal response construction, or should "i.e." ("that is") be > "e.g." ("for example") here? > > >> Yes. For clarity, we’ve removed this use of “i.e.” entirely. > > >> > > >> > > >> 8. Section 4.3: Does "even if the contents are > invalid" refer to the "MUST" clause, the "MAY" clause, or both? > > >> It refers to the “MAY” clause. To improve clarity, we’ve > restructured this sentence and the following one. > > >> Original: > > >> Recursive resolvers <bcp14>MUST</bcp14> be able to convey SVCB > records > > >> with unrecognized SvcParamKeys, and <bcp14>MAY</bcp14> treat the > > >> entire SvcParams portion of the record as opaque, even if the > contents > > >> are invalid. Alternatively, recursive resolvers <bcp14>MAY</bcp14> > > >> report an error such as SERVFAIL to avoid returning a SvcParamValue > that is invalid according to the SvcParam's specification. > > >> Current: > > >> Recursive resolvers <bcp14>MUST</bcp14> be able to convey SVCB > records > > >> with unrecognized SvcParamKeys. Resolvers <bcp14>MAY</bcp14> > > >> accomplish this by treating the entire SvcParams portion of the > record > > >> as opaque, even if the contents are invalid. If a recognized > > >> SvcParamKey is followed by a value that is invalid according to the > > >> SvcParam's specification, a recursive resolver <bcp14>MAY</bcp14> > > >> report an error such as SERVFAIL instead of returning the record. > > >> > > >> > > >> 9. Section 7.2: Should "this SvcParam" be "this > SvcParamValue" here? > > >> Yes. (Corrected.) > > >> > > >> > > >> 10. Section 9.1: Please clarify the meaning of "Following > of". > > >> We’ve clarified by reformulating this sentence and including > references to the relevant sections where the behavior is defined. > > >> Original: > > >> Following of HTTPS AliasMode RRs and CNAME aliases is > unchanged from SVCB. > > >> Current: > > >> The procedure for following HTTPS AliasMode RRs and CNAME > aliases is unchanged from SVCB (as described in <xref target="alias-mode"/> > and <xref target="client-behavior"/>). > > >> > > >> > > >> > > >> 11. Should the instances of "9443" be "8443" here? > > >> No, this distinction is intentional. > > >> > > >> > > >> 12. Section 9.4 and Table 1: Does "ECH" refer to > citations for draft-ietf-tls-esni and not to "Encrypted ClientHello" in > general, or does it refer to some (unknown) future specification related to > ECH (in which case the text should be clarified)? > > >> For clarity, we’ve replaced “ECH” here with that reference, and > expanded the acronym where it appears in the IANA instructions. The > assignment is currently captured in draft-sbn-tls-svcb-ech-00, which was > extracted from this document. The TLS WG has adopted that document, and > will need to decide whether to fold it into draft-ietf-tls-esni or advance > it separately. > > >> > > >> > > >> 13. Section 9.6: Should 'HTTP URL' be '"http" URL'? … > Also, we could not find any instances of "requestURL" in [WebSocket], any > other published RFC, or [FETCH]. > > >> We’ve replaced ‘HTTP URL” with the formal term defined in RFC 9110: > “HTTP-related URI scheme”. > > >> Since we wrote this text, WHATWG has moved the definition of > “requestURL” to a new document. We’ve fixed the problem by adding that > reference here. > > >> Original: > > >> All HTTP connections to named origins are eligible to use HTTPS RRs, > > >> even when HTTP is used as part of another protocol or without an > > >> explicit HTTP URL. For example, clients that support HTTPS RRs and > > >> implement the altered WebSocket <xref target="RFC6455"/> opening > > >> handshake from the W3C Fetch specification <xref target="FETCH"/> > > >> <bcp14>SHOULD</bcp14> use HTTPS RRs for the <tt>requestURL</tt>. > > >> Current: > > >> All HTTP connections to named origins are eligible to use HTTPS RRs, > > >> even when HTTP is used as part of another protocol or without an > > >> explicit HTTP-related URI scheme (<relref target="RFC9110" > > >> section="4.2"/>). For example, clients that support HTTPS RRs and > > >> implement <xref target="RFC6455"/> using the altered opening > handshake > > >> from <xref target="FETCH-WEBSOCKETS"/> <bcp14>SHOULD</bcp14> use > HTTPS RRs for the <tt>requestURL</tt>. > > >> > > >> > > >> 14. Section 10.3: We had trouble following "various > interpretations of RFCs" in the first sentence… > > >> We’ve replaced this vague statement by a reference to the BIND > documentation for the behavior in question. > > >> Original: > > >> Note that some implementations may not allow A or AAAA records on > > >> names starting with an underscore due to various interpretations of > RFCs. > > >> This could be an operational issue when the TargetName contains an > > >> Attrleaf label, as well as using a TargetName of "." when the owner > name contains an Attrleaf label. > > >> Current: > > >> Some authoritative DNS servers may not allow A or AAAA records on > > >> names starting with an underscore (e.g., <xref > target="BIND-CHECK-NAMES"/>). > > >> This could create an operational issue when the TargetName contains > an > > >> Attrleaf label, or when using a TargetName of "." if the owner name > contains an Attrleaf label. > > >> > > >> > > >> 15. Section 11: We do not see the word "stapling" or > "staple" in RFC 6066. Please confirm that this citation will be clear to > readers. > > >> We’ve adjusted this sentence to expand “OCSP” and mention > > >> “Certificate Status Request”, which is the formal name from RFC > 6066. > > >> (We’ve preserved the term “stapling” because it is much more widely > > >> understood and commonly used than the formal name.) > > >> Original: > > >> Server operators implementing this standard <bcp14>SHOULD</bcp14> > also > > >> implement TLS 1.3 <xref target="RFC8446"/> and Online > > >> Certificate Status Protocol (OCSP) Stapling <xref > > >> target="RFC6066"/>, both of which confer substantial performance and > > >> privacy benefits when used in combination with SVCB records. > > >> Current: > > >> Server operators implementing this standard <bcp14>SHOULD</bcp14> > also > > >> implement TLS 1.3 <xref target="RFC8446"/> and Online Certificate > > >> Status Protocol (OCSP) Stapling (i.e., Certificate Status Request in > > >> <xref target="RFC6066" section="8" sectionFormat="of"/>), both of > > >> which confer substantial performance and privacy benefits when used > in > > >> combination with SVCB records.</t> > > >> > > >> > > >> 16. Section 12: "unintended access" reads oddly here. If > the suggested text is not correct, should the word "unintended" be removed? > > >> We’ve rephrased this in a way that avoids the word “unintended” and > improves specificity. > > >> Original: > > >> If the attacker can influence the > > >> client's payload (e.g., TLS session ticket contents) and an internal > > >> service has a sufficiently lax parser, it's possible that the > attacker > > >> could gain unintended access. > > >> Current: > > >> If the attacker can influence the > > >> client's payload (e.g., TLS session ticket contents) and an internal > > >> service has a sufficiently lax parser, the attacker could gain access > > >> to the internal service. > > >> > > >> > > >> 17. FYI, we have changed two instances of "Service > Binding" to "service binding" because it written in lowercase where used > generally in this document. We will ask IANA… > > >> We’ve changed the description in the IANA instructions to use the > > >> more precise term “SVCB-compatible” instead. (The original IANA > > >> instructions may predate this term.) > > >> > > >> > > >> 18. The following ACTION text indicates that the "Service > Parameter Keys (SvcParamKeys)" registry should appear on the "Domain Name > System (DNS) Parameters" page. However, the registry appears on a page > under the heading "DNS Service Bindings (SVCB)" > > >> This disparity may have occurred because IANA reorganized their > website after the original instructions were written. The current location > of the registry correctly reflects the authors’ intent, and we have updated > the draft to describe the new location. > > >> > > >> > > >> 19. Because the IANA registry does not include a "Meaning" > column, we have updated the text as shown below. Please let us know if any > updates are required. > > >> This change is correct. > > >> > > >> > > >> 20. Appendix A: Because Section 3.3 of RFC 1035 says > "<character-string> is treated as binary information, and can be up to 256 > characters in length (including the length octet)", we updated this > sentence to clarify the meaning of "same as". If this is incorrect, please > provide text that clarifies the meaning of "same as". > > >> This change is not correct. We have adjusted the text to provide a > clearer distinction between “<character-string>” (which is binary) and the > textual representation used to generate it. > > >> Original: > > >> DNS zone files are capable of representing arbitrary octet sequences > > >> in basic ASCII text, using various delimiters and encodings. The > > >> algorithm for decoding these character strings is defined in <xref > section="5.1" sectionFormat="of" target="RFC1035"/>. > > >> Current: > > >> DNS zone files are capable of representing arbitrary octet sequences > > >> in basic ASCII text, using various delimiters and encodings, > according > > >> to an algorithm defined in <xref section="5.1" sectionFormat="of" > target="RFC1035"/>. > > >> Original: > > >> In this document, this algorithm is referred to as "character-string > decoding". > > >> The algorithm is the same as the guideline for > > >> <tt><character-string></tt> provided in <xref target="RFC1035" > sectionFormat="of" section="3.3"/>, except that in this document the output > length is not limited to 255 octets. > > >> Current: > > >> In this document, this algorithm is referred to as "character-string > > >> decoding", because it is used to produce a > > >> <tt><character-string></tt> in <xref target="RFC1035" > > >> sectionFormat="of" section="5.1"/>. Note that while the length of a > > >> <tt><character-string></tt> is limited to 255 octets, the > > >> character-string decoding algorithm can produce output of any > > >> length.</t> > > >> > > >> > > >> 21. Appendix C.4: We changed "the authoritative" at the > end of this sentence to "the authoritative DNS server". > > >> This change is correct. > > >> > > >> > > >> 22. Appendix D.2: Do "target (root label)" and "target, > root label" mean the same thing? If yes, should they both be expressed in > the same way (i.e., either parentheses or comma)? Also, should "length: 2 > bytes" be "length 2", per the format of all other "# length" and "; length" > entries? > > >> Yes, these carry the same meaning. We have incorporated these > changes to improve consistency. > > >> > > >> > > >> 23. The example.com line in Figure 8 extends beyond the > 72-character limit. > > >> 24. Figure 8: The "example.com." line is too long… > > >> We have adjusted this figure as suggested to fit within the > 72-character limit. > > >> > > >> > > >> 25. Figures 14 and 15: Should "mandatory" be written in > the same way in both titles (i.e., either lowercase and quoted or > initial-capitalized and unquoted)? > > >> No. In one case, it refers to an item that must be present; in the > other it refers to the literal 9-character sequence “mandatory”. > > >> > > >> > > >> 26. "Acknowledgments and Related Proposals" reads oddly, > in that the two ideas seem unrelated. "... proposed solutions ...challenge > proposed" reads oddly as well. May we make a new Section 15 ("Related > Proposals") … ? > > >> We’ve reformulated this paragraph to make clear that the related > proposals are mentioned by way of acknowledgement and gratitude. > > >> > > >> > > >> 27. Please review the "Inclusive Language" portion of the > online Style Guide … > > >> We have reviewed this guidance but did not find any changes that > could be made on this basis. > > >> > > >> > > >> 28. Please let us know if any changes are needed for the > following [capitalization consistency issues] > > >> We have attempted to correct these issues to improve consistency. In > the case of ALPN, we have clarified some uses as “ALPN protocol” or “ALPN > ID”. > > >> ------------ > > >> Additionally, we made several edits in response to a late-arriving > review from the DNS Directorate, as Warren indicated. These are > highlighted below, in no particular order. > > >> # Positive and negative DNSSEC (Section 4.1) > > >> Original: > > >> If the zone is signed, the server SHOULD also include positive or > > >> negative DNSSEC responses for these records in the Additional section. > > >> Current: > > >> If the zone is signed, the server SHOULD also include DNSSEC records > > >> authenticating the existence or nonexistence of these records in the > > >> Additional section. > > >> # Use of “origin” for concepts other than HTTP origins > > >> - In 1.1, “an origin within the DNS” => “a service identified by a > domain name” > > >> - In 3.1, “origin’s SVCB record” => “service’s SVCB record” > > >> - In 7.3, “origin hostname” => “service name” > > >> - In 9.3, “origin endpoint” => “authority endpoint” > > >> - In 12, “origin” => “authoritative server” > > >> # Use of “delegation” outside the sense of DNS zone delegation > > >> - In 1, “delegating the origin” => “aliasing the origin” > > >> - In 1.1, “delegation of operational authority for an origin within > > >> the DNS to an alternate name.” => “extending operational authority > for > > >> a service identified by a domain name to other instances with > > >> alternate names.” (overlap with previous set) > > >> - In 1.1, “apex delegation” => “apex aliasing” > > >> - In 3.2, “It allows the service to delegate the apex domain.” => “It > allows a service on an apex domain to use aliasing.” > > >> - In Figure 1 (caption), “Is Delegated to” => “Is Available At” > > >> # Inconsistency of terms for list and sorting in Section 3 > > >> - “enumerating the priority-ordered endpoints” => “enumerating and > ordering the available endpoints” > > >> - Addition of “Sort the records by ascending SvcPriority.” to step 4. > > >> - “known endpoints” => “available endpoints” > > >> - “priority list” => “list of endpoints” > > >> - “the resolved list” => “this list” > > >> # Vague performance statements > > >> In 2.4.2, removed “which would likely improve performance” > > >> # No such thing as empty RRset > > >> Original: > > >> If the SVCB RRset contains no compatible RRs, the client will > generally act as if the RRset is empty. > > >> Current: > > >> Incompatible RRs are ignored (see step 5 of the procedure defined in > <xref target="client-behavior"/>). > > >> ------------ > > >> Finally, with regard to the changes from our previous e-mail: The > attached file incorporates your proposed changes. We have made one > adjustment, where <tt> was already being used around a hostname which is > now quoted. The combination is probably not necessary; for consistency, we > can align on quotes. > > >> Original: > > >> When using the generic SVCB RR type with aliasing, zone owners > > >> <bcp14>SHOULD</bcp14> choose alias target names that indicate the > > >> scheme in use (e.g., <tt>"foosvc.example.net"</tt> for > > >> <tt>"foo://"</tt> schemes). This will help to avoid confusion when > > >> another scheme needs to be added to the configuration. When multiple > > >> port numbers are in use, it may be helpful to repeat the prefix > labels in the alias target name (e.g., <tt>"_1234._foo.svc.example.net > "</tt>). > > >> Current: > > >> When using the generic SVCB RR type with aliasing, zone owners > > >> <bcp14>SHOULD</bcp14> choose alias target names that indicate the > > >> scheme in use (e.g., "foosvc.example.net" for "foo" schemes). This > > >> will help to avoid confusion when another scheme needs to be added to > > >> the configuration. When multiple port numbers are in use, it may be > > >> helpful to repeat the prefix labels in the alias target name (e.g., > "_1234._foo.svc.example.net"). > > >> We have also removed the “://”, which is not properly part of the > scheme. > > >> > > >> > > >> -----Original Message----- > > >> From: Lynne Bartholomew <lbartholomew@amsl.com> > > >> Sent: Friday, September 22, 2023 2:39 PM > > >> To: Mike Bishop <mbishop@evequefou.be>; ietf@bemasc.net; > > >> erik+ietf@nygren.org > > >> Cc: rfc-editor@rfc-editor.org; dnsop-ads@ietf.org; > > >> dnsop-chairs@ietf.org; tjw.ietf@gmail.com; > > >> auth48archive@rfc-editor.org > > >> Subject: Re: AUTH48: RFC-to-be 9460 <draft-ietf-dnsop-svcb-https-12> > > >> for your review Hi, Mike and coauthors. > > >> Mike, apologies for our confusion with the emails yesterday. We have > updated this document per your notes below. Please see our "[rfced]" notes > inline. > > >> Also, apologies for an issue regarding an update to Section 14.4. > The updated section is now correct. We also removed a duplicate question > regarding Figure 8. > > >> The latest files are posted here. Please refresh your browser to > view the latest updates and the updated list of questions: > > >> https://www.rfc-editor.org/authors/rfc9460.txt > > >> https://www.rfc-editor.org/authors/rfc9460.pdf > > >> https://www.rfc-editor.org/authors/rfc9460.html > > >> https://www.rfc-editor.org/authors/rfc9460.xml > > >> https://www.rfc-editor.org/authors/rfc9460-diff.html > > >> https://www.rfc-editor.org/authors/rfc9460-rfcdiff.html > > >> https://www.rfc-editor.org/authors/rfc9460-auth48diff.html > > >> https://www.rfc-editor.org/authors/rfc9460-alt-diff.html > > >> https://www.rfc-editor.org/authors/rfc9460-xmldiff1.html > > >> https://www.rfc-editor.org/authors/rfc9460-xmldiff2.html > > >> https://www.rfc-editor.org/authors/rfc9460-alt-diff.html > > >> Thank you, and again, apologies for our confusion. > > >> RFC Editor/lb > > >> > > >> > > >>> On Sep 20, 2023, at 1:33 PM, Mike Bishop <mbishop@evequefou.be> > wrote: > > >>>> A couple points from the copy-edits I wanted to discuss as we go > through these…. > > >>>> Under SVC Query Names, I see this change: > > >>>> Original: > > >>> When querying the SVCB RR, a service is translated into a QNAME by > > >>> prepending the service name with a label indicating the scheme, > > >>> prefixed with an underscore, resulting in a domain name like "_ > examplescheme.api.example.com.". > > >>>> Current: > > >>> When querying the SVCB RR, a service is translated into a QNAME by > > >>> prepending the service name with a label indicating the scheme, > > >>> prefixed with an underscore, resulting in a domain name like "_ > examplescheme.api.example.com." > > >>>> In this instance, however, the literal domain name ends with a > period. Given the general rule in American English that the period goes > inside the quotation marks and not outside, the absence of the explicit > exterior period might cause some readers to apply that rule and not expect > the actual domain name to contain the trailing dot; hence the separate > period in the original. > > >>>> Could we revert this change, or is there a different way we could > word this to avoid any confusion? > > >> [rfced] Reverted. Thank you for the explanation. > > >>>> Under AliasMode, quotes were added to offset “https://example.com > ”, but similar quotes were not added around “foo://example.com:8080”. > Should all URIs be quoted, if this one is? > > >>> [rfced] We added quotes to URIs listed in text. Please review and > let us know if any of the new quotes are incorrect (e.g., we added quotes > for 'owner of "example.com"' because we found 'the operator of " > https://example.com "', but is this update correct?). > > >>> Regarding the hyphenation of “SVCB-optional” and “SVCB-reliant”: > > >>>> Original: > > >>> A client is called "SVCB-optional" if it can connect without the use > > >>> of ServiceMode records, and "SVCB-reliant" otherwise. > > >>>> Current: > > >>> A client is called "SVCB optional" if it can connect without the use > > >>> of ServiceMode records; otherwise, it is called "SVCB reliant". > > >>>> These terms are used primarily as adjectives before a noun (and > therefore hyphenated) and in a few instances with a verb in between. It > seems unclear not to hyphenate the definition of the terms when that’s > primarily how they’re used, for ease of searching. For uniformity, could we > hyphenate these terms throughout? If I understand the rule correctly, a > compound adjective is *generally* not hyphenated when not before a noun, > but some are. > > >>>> (The same applies to “SVCB-compatible” later.) > > >> [rfced] We restored the hyphens. > > >> Updated list of questions: > > >> 1) <!-- [rfced] We expanded "RR" in the document title. Please let > us know any objections. > > >> Original: > > >> Service binding and parameter specification via the DNS (DNS SVCB and > > >> HTTPS RRs) > > >> Currently: > > >> Service Binding and Parameter Specification via the DNS (DNS SVCB and > > >> HTTPS Resource Records (RRs)) --> > > >> 2) <!-- [rfced] Please insert any keywords (beyond those that appear > > >> in the > > >> title) for use on <https://www.rfc-editor.org/search >. --> > > >> 3) <!-- [rfced] Datatracker "idnits" output for the original > approved document included the following warning. Please let us know if > any changes are needed as related to this warning: > > >> == There are 2 instances of lines with non-RFC2606-compliant FQDNs in > the > > >> document. --> > > >> 4) <!-- [rfced] Section 1.1: We changed this section title, as it > did not match the contents of the section. If this update is incorrect, > perhaps some text is missing? If so, please clarify "goal" vs. > > >> "goals". > > >> Original (excerpts from this section are included for context): > > >> 1.1. Goals of the SVCB RR > > >> The goal of the SVCB RR is to allow clients to resolve a single > > >> additional DNS RR in a way that: > > >> ... > > >> Additional goals specific to HTTPS RRs and the HTTP use-cases > > >> include: > > >> Currently: > > >> 1.1. Goals --> > > >> 5) <!-- [rfced] Please review the "type" attribute of each > sourcecode element in the XML file to ensure correctness. If the current > list of preferred values for "type" > > >> (https://www.rfc-editor.org/materials/sourcecode-types.txt ) does > not contain an applicable type, please let us know. Also, it is acceptable > to leave the "type" attribute not set. > > >> In addition, review each artwork element. Specifically, should any > artwork element be tagged as sourcecode (e.g., "dns-rr", "pseudocode", or > "test-vectors" for some or all of the figures in the appendices)? --> > > >> 6) <!-- [rfced] Section 2.4.2: As it appears that "multiple" means > "multiple RRs" (as opposed to "multiple RRSets"), we updated this sentence > accordingly. If this is incorrect, please provide clarifying text. > > >> Original (the previous sentence is included for context): > > >> In AliasMode, the SVCB record aliases a service to a TargetName. > > >> SVCB RRSets SHOULD only have a single resource record in AliasMode. > > >> If multiple are present, clients or recursive resolvers SHOULD pick > one at random. > > >> Currently: > > >> If multiple > > >> RRs are present, clients or recursive resolvers SHOULD pick one at > random. --> > > >> 7) <!-- [rfced] Section 4.2: Is resolution of unknown RR types the > only type of normal response construction, or should "i.e." ("that is") be > "e.g." ("for example") here? > > >> Original: > > >> Whether the recursive resolver is aware of SVCB or not, the normal > > >> response construction process (i.e. unknown RR type resolution under > > >> [RFC3597]) generates the Answer section of the response. --> > > >> 8) <!-- [rfced] Section 4.3: Does "even if the contents are invalid" > > >> refer to the "MUST" clause, the "MAY" clause, or both? > > >> Original: > > >> Recursive resolvers MUST be able to convey SVCB records with > unrecognized SvcParamKeys, and MAY treat the entire SvcParams portion of > the record as opaque, even if the contents are invalid. > > >> (A) Perhaps (both): > > >> Recursive resolvers MUST be able to convey SVCB records with > unrecognized SvcParamKeys and MAY treat the entire SvcParams portion of > the record as opaque, even if the contents are invalid. > > >> (B) Or possibly (only the "MAY" clause): > > >> Recursive resolvers MUST be able to convey SVCB records with > unrecognized SvcParamKeys, and the resolvers MAY treat the entire > SvcParams portion of the record as opaque even if the contents are invalid. > > >> (C) Or to be specific (instead of rely only on the comma): > > >> Recursive resolvers MUST be able to convey SVCB records with > > >> unrecognized SvcParamKeys, and the resolvers MAY treat the entire > > >> SvcParams portion of the record as opaque even if the contents > > >> (of that portion) are invalid. --> > > >> 9) <!-- [rfced] Section 7.2: Should "this SvcParam" be "this > > >> SvcParamValue" here? We ask because we see two instances of > > >> "SvcParamValue MUST NOT contain escape sequences" later in this > > >> document. > > >> Original: > > >> To enable simpler parsing, this SvcParam MUST NOT contain escape > > >> sequences. --> > > >> 10) <!-- [rfced] Section 9.1: Please clarify the meaning of > > >> "Following of". > > >> Original: > > >> Following of HTTPS AliasMode RRs and CNAME aliases is unchanged from > > >> SVCB. --> > > >> 11) <!--[rfced] Should the instances of "9443" be "8443" here? > > >> Original: > > >> Alt-Svc: h2="alt.example:443", h2="alt2.example:443", h3=":8443" > > > >> > The client would retrieve the following HTTPS records: > > > >> > alt.example. IN HTTPS 1 . alpn=h2,h3 foo=... > > > >> alt2.example. IN HTTPS 1 alt2b.example. alpn=h3 > foo=... > > >> _8443._https.example.com. IN HTTPS 1 alt3.example. ( > > > >> port=9443 alpn=h2,h3 foo=... ) > [...] > > >> > * HTTP/3 to alt3.example:9443 --> > > >> 12) <!-- [rfced] Section 9.4 and Table 1: Does "ECH" refer to > > >> citations for draft-ietf-tls-esni and not to "Encrypted ClientHello" > > >> in general, or does it refer to some (unknown) future specification > > >> related to ECH (in which case the text should be clarified)? > > >> Please note that we could not find any indication in > > >> draft-ietf-tls-esni that the parameter in question will be reserved > > >> for it. > > >> Original: > > >> Clients MUST NOT use an HTTPS RR response unless the client supports > > >> TLS Server Name Indication (SNI) and indicates the origin name in the > > >> TLS ClientHello (which might be encrypted via a future specification > > >> such as ECH). > > >> ... > > >> | 5 | ech | RESERVED |N/A |IETF | > > >> | | | (will be | | | > > >> | | | used for | | | > > >> | | | ECH) | | | > --> > > >> 13) <!-- [rfced] Section 9.6: > > >> Should 'HTTP URL' be '"http" URL'? We ask because we do not see > > >> 'HTTP URL' used anywhere else in this document or in this cluster of > > >> documents (https://www.rfc-editor.org/cluster_info.php?cid=C461 ). > > >> Also, we could not find any instances of "requestURL" in [WebSocket], > > >> any other published RFC, or [FETCH]. However, we see "Request-URI" > > >> in [WebSocket]. Will the use of "requestURL" be clear to readers? > > >> Original: > > >> All HTTP connections to named origins are eligible to use HTTPS RRs, > > >> even when HTTP is used as part of another protocol or without an > > >> explicit HTTP URL. For example, clients that support HTTPS RRs and > > >> implement the altered WebSocket [WebSocket] opening handshake from > the > > >> W3C Fetch specification [FETCH] SHOULD use HTTPS RRs for the > > >> requestURL. --> > > >> 14) <!-- [rfced] Section 10.3: We had trouble following "various > > >> interpretations of RFCs" in the first sentence, as it appears to > > >> indicate that the RFCs themselves are being interpreted. Also, the > > >> second sentence does not parse. Would the "Perhaps" text below be > > >> helpful? If not, please provide clarifying text. > > >> Original ("an TargetName" has been fixed): > > >> Note that some implementations may not allow A or AAAA records on > > >> names starting with an underscore due to various interpretations of > > >> RFCs. This could be an operational issue when the TargetName > contains > > >> an attrleaf label, as well as using an TargetName of "." > > >> when the owner name contains an attrleaf label. > > >> Perhaps: > > >> Note that some implementations may not allow A or AAAA records on > > >> names that start with an underscore, due to various interpretations > in > > >> other RFCs. This could be an operational issue when the TargetName > > >> contains an Attrleaf label, as well as when a TargetName of "." is > > >> used when the owner name contains an Attrleaf label. --> > > >> 15) <!-- [rfced] Section 11: We do not see the word "stapling" or > > >> "staple" in RFC 6066. Please confirm that this citation will be > clear > > >> to readers. > > >> Original: > > >> Server operators implementing this standard SHOULD also implement TLS > > >> 1.3 [RFC8446] and OCSP Stapling [RFC6066], both of which confer > > >> substantial performance and privacy benefits when used in combination > > >> with SVCB records. --> > > >> 16) <!-- [rfced] Section 12: "unintended access" reads oddly here. > > >> If the suggested text is not correct, should the word "unintended" > > >> be removed? Please provide alternative text if you'd like to > > >> rephrase. > > >> Original: > > >> If the attacker can influence the client's payload (e.g. > > >> TLS session ticket contents), and an internal service has a > > >> sufficiently lax parser, it's possible that the attacker could gain > > >> unintended access. > > >> Suggested: > > >> If the attacker can influence the client's payload (e.g., TLS session > > >> ticket contents) and an internal service has a sufficiently lax > > >> parser, it's possible that, as an unintended consequence, the > attacker > > >> could gain access. --> > > >> 17) <!-- [rfced] FYI, we have changed two instances of "Service > Binding" > > >> to "service binding" because it written in lowercase where used > > >> generally in this document. We will ask IANA to update > > >> <https://www.iana.org/assignments/dns-parameters/ > accordingly, > unless you let us know you prefer otherwise. > > >> Original: > > >> * Meaning: General Purpose Service Binding Current: > > >> Meaning: General-purpose service binding > > >> Original: > > >> * Meaning: Service Binding type for use with HTTP Current: > > >> Meaning: Service binding type for use with HTTP > > >> --> > > >> 18) <!-- [rfced] The following ACTION text indicates that the > > >> "Service Parameter Keys (SvcParamKeys)" registry should appear on the > > >> "Domain Name System (DNS) Parameters" page. However, the registry > > >> appears on a page under the heading "DNS Service Bindings (SVCB)" > > >> (see https://www.iana.org/assignments/dns-svcb/ ). Please review > and > > >> let us know if the location of the "DNS Service Bindings (SVCB)" > > >> registry is correct. > > >> Original: > > >> ACTION: create this registry, on a new page entitled "DNS Service > > >> Bindings (SVCB)" under the "Domain Name System (DNS) Parameters" > > >> category. --> > > >> 19) <!-- [rfced] Section 14.4: Because the "Underscored and > > >> Globally Scoped DNS Node Names" IANA registry does not include a > "Meaning" > > >> column, we have updated the table as shown below. Please let us know > > >> if any other updates are required. > > >> Original (to avoid the issue of double dashes and XML comments, the > > >> bottom line of the table is not included): > > >> Per [Attrleaf], please add the following entry to the DNS Underscore > > >> Global Scoped Entry Registry: > > >> +=========+============+=================+=================+ > > >> | RR TYPE | _NODE NAME | Meaning | Reference | > > >> +=========+============+=================+=================+ > > >> | HTTPS | _https | HTTPS SVCB info | (This document) | > > >> Table 2 > > >> Currently: > > >> Per [Attrleaf], the following entry has been added to the DNS > > >> "Underscored and Globally Scoped DNS Node Names" registry: > > >> +=========+============+===========+ > > >> | RR Type | _NODE NAME | Reference | > > >> +=========+============+===========+ > > >> | HTTPS | _https | RFC 9460 | > > >> Table 2 --> > > >> 20) <!-- [rfced] Appendix A: Because Section 3.3 of RFC 1035 says > > >> "<character-string> is treated as binary information, and can be up > to > > >> 256 characters in length (including the length octet)", we updated > > >> this sentence to clarify the meaning of "same as". > > >> If this is incorrect, please provide text that clarifies the meaning > > >> of "same as". > > >> Original: > > >> The algorithm is the same as used by > > >> <character-string> in RFC 1035, although the output length in this > > >> document is not limited to 255 octets. > > >> Currently: > > >> The algorithm is the same as the > > >> guideline for <character-string> in [RFC1035], except that in this > > >> document the output length is not limited to 255 octets. > > >> --> > > >> 21) <!-- [rfced] Appendix C.4: We changed "the authoritative" at > > >> the end of this sentence to "the authoritative DNS server". If this > > >> is incorrect, please clarify the meaning of "the authoritative". > > >> Original: > > >> Recursive resolvers that implement the specification would, upon > > >> receipt of a ServiceMode query, emit both a ServiceMode and an > > >> AliasMode query to the authoritative. > > >> Currently: > > >> Recursive resolvers that implement the specification would, upon > > >> receipt of a ServiceMode query, emit both a ServiceMode query and an > > >> AliasMode query to the authoritative DNS server. --> > > >> 22) <!-- [rfced] Appendix D.2: Do "target (root label)" and > > >> "target, root label" mean the same thing? If yes, should they both > be > > >> expressed in the same way (i.e., either parentheses or comma)? > > >> Also, should "length: 2 bytes" be "length 2", per the format of all > > >> other "# length" and "; length" entries? > > >> Original: > > >> 00 ; target (root label) > > >> ... > > >> \x00 # target, root label > > >> ... > > >> \x00\x02 # length: 2 bytes > > >> ... > > >> \x00\x05 # length 5 > > >> ... > > >> \x00\x09 # length 9 > > >> ... > > >> \x00\x20 # length 32 > > >> ... > > >> \x00\x10 # length 16 --> > > >> 23) <!-- [rfced] Figure 8: The "example.com." line is too long and > > >> yields the following warning: > > >> Warning: Too long line found (L2319), 4 characters longer than 72 > characters: > > >> example.com. SVCB 1 example.com. > ipv6hint="2001:db8:122:344::192.0.2.33" > > >> We see a similar type of line at the top of Figure 7, although that > > >> line uses parentheses before and after the line break around > > >> "ipv6hint". Would it be syntactically correct to format this line > > >> (i.e., with parentheses and line breaks) per Figure 7? > > >> Original: > > >> example.com. SVCB 1 example.com. > ipv6hint="2001:db8:122:344::192.0.2.33" > > >> Possibly: > > >> example.com. SVCB 1 example.com. ( > > >> ipv6hint="2001:db8:122:344::192.0.2.33" > > >> ) --> > > >> 24) <!-- [rfced] Figures 14 and 15: Should "mandatory" be written > > >> in the same way in both titles (i.e., either lowercase and quoted or > > >> initial-capitalized and unquoted)? > > >> Original: > > >> Figure 14: A mandatory SvcParam is missing ... > > >> Figure 15: The "mandatory" SvcParamKey must not be included in > > >> the mandatory list --> > > >> 25) <!-- [rfced] "Acknowledgments and Related Proposals" reads > > >> oddly, in that the two ideas seem unrelated. "... proposed solutions > ... > > >> challenge proposed" reads oddly as well. > > >> May we make a new Section 15 ("Related Proposals") and rephrase some > > >> text as suggested below? > > >> Original: > > >> 15. Acknowledgments and Related Proposals There have been a wide > > >> range of proposed solutions over the years to the "CNAME at the Zone > > >> Apex" challenge proposed. These include > > >> [I-D.bellis-dnsop-http-record], [I-D.ietf-dnsop-aname], and others. > > >> Thank you to Ian Swett, Ralf Weber, Jon Reed, Martin Thomson, Lucas > > >> Pardue, Ilari Liusvaara, Tim Wicinski, Tommy Pauly, Chris Wood, David > > >> Benjamin, Mark Andrews, Emily Stark, Eric Orth, Kyle Rose, Craig > > >> Taylor, Dan McArdle, Brian Dickson, Willem Toorop, Pieter Lexis, > > >> Puneet Sood, Olivier Poitrey, Mashooq Muhaimen, Tom Carpay, and many > > >> others for their feedback and suggestions on this draft. > > >> Suggested: > > >> 15. Related Proposals > > >> Over the years, there has been a wide range of proposed solutions to > > >> the zone-apex CNAME challenge. These include [HTTP-DNS-RR], > > >> [ANAME-DNS-RR], and others. > > >> ... > > >> Acknowledgments > > >> Thank you to Ian Swett, Ralf Weber, Jon Reed, Martin Thomson, Lucas > > >> Pardue, Ilari Liusvaara, Tim Wicinski, Tommy Pauly, Chris Wood, David > > >> Benjamin, Mark Andrews, Emily Stark, Eric Orth, Kyle Rose, Craig > > >> Taylor, Dan McArdle, Brian Dickson, Willem Toorop, Pieter Lexis, > > >> Puneet Sood, Olivier Poitrey, Mashooq Muhaimen, Tom Carpay, and many > > >> others for their feedback and suggestions on this document. --> > > >> 26) <!-- [rfced] Please review the "Inclusive Language" portion of > > >> the online Style Guide at > > >> <https://www.rfc-editor.org/styleguide/part2/#inclusive_language >, > > >> and let us know if any changes are needed. > > >> For example, please consider whether the following should be updated: > > >> whitespace (whitespace-separated list, internal whitespace) > > >> --> > > >> 27) <!-- [rfced] Please let us know if any changes are needed for > > >> the > > >> following: > > >> a) The following terms were used inconsistently in this document. > > >> We chose to use the latter forms. Please let us know any objections. > > >> Alt-Svc Field Value / Alt-Svc field value (per [AltSvc]) attrleaf > > >> label / Attrleaf label (per [Attrleaf]) > > >> IPv6 hint / ipv6hint (per three of the four companion documents) > > >> (https://www.rfc-editor.org/cluster_info.php?cid=C461 )) > > >> key Name / key name > > >> RRType (titles of Sections 14.1 and 14.2) / RR Type (per > > >> approx. 40 instances of "RR type" in text) wire-format / > > >> wireformat / wire format (noun) > > >> (per "wire format" in companion document draft-ietf-add-svcb-dns) > > >> zone file (adj.) / zone-file (adj.) > > >> b) The following terms appear to be used inconsistently in this > > >> document. Please let us know which form is preferred. > > >> Additional record / additional record (We also see > > >> "Additionals" and "Additional A records" in Section 4.2.1.) > > >> additional section / Additional section / Additional Section mode / > > >> Mode ("two modes", "same Mode", "connection modes") Multi-CDN ("A > > >> Multi-CDN customer domain") / > > >> multi-CDN ("a multi-CDN configuration") > > >> (We suggest lowercase, based on past usage in RFCs.) Name MUST / > > >> name MUST (Section 14.3.1) > > >> c) Should lowercase "alpn" be written in text with or without quotes? > > >> alpn / "alpn" ('e.g., alpn', 'e.g., URIs or "alpn"') Also, should > > >> 'non-default alpn' be 'non-default ALPN' or > > >> perhaps 'non-default "alpn"'? > > >> d) May we change the instances of "RRSet" to "RRset"? We see that > > >> the latter form is used much more often in RFCs from RFC 6000 > > >> onwards.--> > > >> > > >> > > >>>> On Sep 8, 2023, rfc-editor@rfc-editor.org wrote: > > >>> *****IMPORTANT***** > > >>> Updated 2023/09/08 > > >>> RFC Author(s): > > >>> -------------- > > >>> Instructions for Completing AUTH48 > > >>> Your document has now entered AUTH48. Once it has been reviewed > > >>> and approved by you and all coauthors, it will be published as an > RFC. > > >>> If an author is no longer available, there are several remedies > > >>> available as listed in the FAQ (https://www.rfc-editor.org/faq/ ). > > >>> You and you coauthors are responsible for engaging other parties > > >>> (e.g., Contributors or Working Group) as necessary before providing > > >>> your approval. > > >>> Planning your review --------------------- Please review the > > >>> following aspects of your document: > > >>> * RFC Editor questions > > >>> Please review and resolve any questions raised by the RFC Editor > > >>> that have been included in the XML file as comments marked as > > >>> follows: > > >>> <!-- [rfced] ... --> > > >>> These questions will also be sent in a subsequent email. > > >>> * Changes submitted by coauthors Please ensure that you review > any changes submitted by your > > >>> coauthors. We assume that if you do not speak up that you > > >>> agree to changes submitted by your coauthors. > > >>> * Content Please review the full content of the document, as > this cannot > > >>> change once the RFC is published. Please pay particular attention > to: > > >>> - IANA considerations updates (if applicable) > > >>> - contact information > > >>> - references > > >>> * Copyright notices and legends > > >>> Please review the copyright notice and legends as defined in > > >>> RFC 5378 and the Trust Legal Provisions (TLP – > https://trustee.ietf.org/license-info/ ). > > >>> * Semantic markup > > >>> Please review the markup in the XML file to ensure that elements of > > >>> content are correctly tagged. For example, ensure that <sourcecode> > > >>> and <artwork> are set correctly. See details at < > https://authors.ietf.org/rfcxml-vocabulary >. > > >>> * Formatted output > > >>> Please review the PDF, HTML, and TXT files to ensure that the > > >>> formatted output, as generated from the markup in the XML file, is > > >>> reasonable. Please note that the TXT will have formatting > > >>> limitations compared to the PDF and HTML. > > >>> Submitting changes > > >>> ------------------ > > >>> To submit changes, please reply to this email using ‘REPLY ALL’ as > > >>> all the parties CCed on this message need to see your changes. The > > >>> parties > > >>> include: > > >>> * your coauthors > > >>> * rfc-editor@rfc-editor.org (the RPC team) > > >>> * other document participants, depending on the stream (e.g., > > >>> IETF Stream participants are your working group chairs, the > > >>> responsible ADs, and the document shepherd). > > >>> * auth48archive@rfc-editor.org, which is a new archival mailing > list > > >>> to preserve AUTH48 conversations; it is not an active discussion > > >>> list: > > >>> * More info: > > >>> > https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc > > >>> * The archive itself: > > >>> https://mailarchive.ietf.org/arch/browse/auth48archive/ > > >>> * Note: If only absolutely necessary, you may temporarily opt > out > > >>> of the archiving of messages (e.g., to discuss a sensitive > matter). > > >>> If needed, please add a note at the top of the message that you > > >>> have dropped the address. When the discussion is concluded, > > >>> auth48archive@rfc-editor.org will be re-added to the CC list > and > > >>> its addition will be noted at the top of the message. > > >>> You may submit your changes in one of two ways: > > >>> An update to the provided XML file > > >>> — OR — > > >>> An explicit list of changes in this format Section # (or indicate > > >>> Global) > > >>> OLD: > > >>> old text > > >>> NEW: > > >>> new text > > >>> You do not need to reply with both an updated XML file and an > > >>> explicit list of changes, as either form is sufficient. > > >>> We will ask a stream manager to review and approve any changes that > > >>> seem beyond editorial in nature, e.g., addition of new text, > > >>> deletion of text, and technical changes. Information about stream > > >>> managers can be found in the FAQ. Editorial changes do not require > approval from a stream manager. > > >>> Approving for publication > > >>> -------------------------- > > >>> To approve your RFC for publication, please reply to this email > > >>> stating that you approve this RFC for publication. Please use > > >>> ‘REPLY ALL’, as all the parties CCed on this message need to see > your approval. > > >>> Files ----- > > >>> The files are available here: > > >>> https://www.rfc-editor.org/authors/rfc9460.xml > > >>> https://www.rfc-editor.org/authors/rfc9460.html > > >>> https://www.rfc-editor.org/authors/rfc9460.pdf > > >>> https://www.rfc-editor.org/authors/rfc9460.txt > > >>> Diff file of the text: > > >>> https://www.rfc-editor.org/authors/rfc9460-diff.html > > >>> https://www.rfc-editor.org/authors/rfc9460-rfcdiff.html (side by > side) > > >>> Diff of the XML: > https://www.rfc-editor.org/authors/rfc9460-xmldiff1.html > > >>> This diff file compares an altered original and the RFC (in order to > make the changes in moved text viewable): > > >>> https://www.rfc-editor.org/authors/rfc9460-alt-diff.html > > >>> Tracking progress > > >>> ----------------- > > >>> The details of the AUTH48 status of your document are here: > > >>> https://www.rfc-editor.org/auth48/rfc9460 > > >>> Please let us know if you have any questions. Thank you for your > cooperation, > > >>> RFC Editor > > >>> -------------------------------------- > > >>> RFC9460 (draft-ietf-dnsop-svcb-https-12) > > >>> Title : Service Binding and Parameter Specification via > the DNS (DNS SVCB and HTTPS Resource Records (RRs)) > > >>> Author(s) : B. Schwartz, M. Bishop, E. Nygren > > >>> WG Chair(s) : Suzanne Woolf, Benno Overeinder, Tim Wicinski > > >>> Area Director(s) : Warren Kumari, Robert Wilton > > >> <rfc9460.xml> > > > > > > <rfc9460.xml> > > > >
- [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-dnsop… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Warren Kumari
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Tim Wicinski
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Mike Bishop
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Mike Bishop
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Mike Bishop
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Ben Schwartz
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Erik Nygren
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Mike Bishop
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Erik Nygren
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Erik Nygren
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Ben Schwartz
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Erik Nygren
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Mike Bishop
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Ben Schwartz
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Ben Schwartz
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Lynne Bartholomew
- [auth48] [IANA] Re: AUTH48: RFC-to-be 9460 <draft… Lynne Bartholomew
- [auth48] [IANA #1284364] [IANA] Re: AUTH48: RFC-t… Amanda Baber via RT
- Re: [auth48] [IANA #1284364] [IANA] Re: AUTH48: R… Erik Nygren
- [auth48] *[AD] Re: [IANA #1284364] [IANA] Re: AUT… Lynne Bartholomew
- Re: [auth48] *[AD] Re: [IANA #1284364] [IANA] Re:… Warren Kumari
- Re: [auth48] *[AD] Re: [IANA #1284364] [IANA] Re:… Mike Bishop
- Re: [auth48] *[AD] Re: [IANA #1284364] [IANA] Re:… Erik Nygren
- Re: [auth48] *[AD] Re: [IANA #1284364] [IANA] Re:… Ben Schwartz
- Re: [auth48] *[AD] Re: [IANA #1284364] [IANA] Re:… Lynne Bartholomew
- Re: [auth48] *[AD] Re: [IANA #1284364] [IANA] Re:… Ben Schwartz
- Re: [auth48] *[AD] Re: [IANA #1284364] [IANA] Re:… Lynne Bartholomew
- Re: [auth48] *[AD] Re: [IANA #1284364] [IANA] Re:… Ben Schwartz
- [auth48] * [IANA] **[AD] Re: AUTH48: RFC-to-be 94… Lynne Bartholomew
- Re: [auth48] * [IANA] **[AD] Re: AUTH48: RFC-to-b… Ben Schwartz
- [auth48] [IANA #1284364] [IANA] Re: AUTH48: RFC-t… Amanda Baber via RT
- Re: [auth48] [IANA #1284364] [IANA] Re: AUTH48: R… Lynne Bartholomew
- Re: [auth48] [IANA #1284364] [IANA] Re: AUTH48: R… Rob Wilton (rwilton)
- [auth48] *[AD] Re: [IANA #1284364] [IANA] Re: AUT… Lynne Bartholomew
- Re: [auth48] *[AD] Re: [IANA #1284364] [IANA] Re:… Warren Kumari
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9460 <dr… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9460 <draft-ietf-d… Mike Bishop