Re: [DNSOP] Fwd: HTTPSSVC record draft

Matthijs Mekking <matthijs@pletterpet.nl> Tue, 23 July 2019 15:04 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56CD812035A for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2019 08:04:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id frcMU8eQJHM6 for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2019 08:04:48 -0700 (PDT)
Received: from lb1-smtp-cloud9.xs4all.net (lb1-smtp-cloud9.xs4all.net [194.109.24.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 000F3120310 for <dnsop@ietf.org>; Tue, 23 Jul 2019 08:04:47 -0700 (PDT)
Received: from [IPv6:2001:980:4eb1:1:c9ad:f345:f26a:8955] ([IPv6:2001:980:4eb1:1:c9ad:f345:f26a:8955]) by smtp-cloud9.xs4all.net with ESMTPSA id pwLLhiJsvuEBxpwLMhpNpr; Tue, 23 Jul 2019 17:04:44 +0200
To: dnsop@ietf.org
References: <CAKC-DJikByP+wX-GoD6ntpUWTbr6ioJzB4i8nGQL4NtPWePL3g@mail.gmail.com> <ae353a56-efe5-ce5d-1786-465fc0195071@bellis.me.uk>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <cd42bccb-89db-4084-e9e5-7dad0d59cb35@pletterpet.nl>
Date: Tue, 23 Jul 2019 17:04:43 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <ae353a56-efe5-ce5d-1786-465fc0195071@bellis.me.uk>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfP3vcJcmdMi7mJmdYWLvoDOUyRGH9V/JP223SdRdVIyCqvuVmzyLmElO9ScxtONXMNzfxLEid5JOexaU4LBGpEuwrppmIjWVXEGpHO7q88J1zdRB+VcA tXE7J1O+XnYqlaBeMK13OSGPjKqYT/T1yFQ53kemiMG7quW0j+WWmEBkDkPfXd9MOCJ0K7PRCJ3m3SekQwdAGM/aDqpYovUZKIiMyM4H3tJNhOK3neGWVPfg guMbXpzNsp/ZMKTr3df8dxH/tOaOA+qC7CXJe39HVMM=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3mrdHKvc1fS1ZfvT6pPnN47_suo>
Subject: Re: [DNSOP] Fwd: HTTPSSVC record draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 15:04:52 -0000

I was too late to join the virtual queue in the dnsop meeting (fighting
with the Meetecho UI), so I'll send a mail to the list:

Slide 5 of the presentation (Alias form) basically covers the ANAME
case, but still relies on the client to chase the target.

The ANAME record is flexible where the target lookup is done (and can be
done at multiple places) at the cost of more complexity.  That
complexity is needed because we cannot assume that the clients will
chase the targets.

But as soon as clients start querying for ANAME (and not address
records) meaning it will chase the target itself, the DNS server
actually does not have to do a target lookup anymore.

Then putting these records in your zone would trigger the same behavior.

example.com.  7200  IN  ANAME    svc.example.net.
example.com.  7200  IN  HTTPSSVC 0 0 svc.example.net.

It almost feels like we could reuse the HTTPSSVC record and allow for
target lookups at the DNS server (MAY do target lookup) if an address
query comes in and a HTTPSSVC record is on the same name.

But then perhaps a more generic name for the RRtype is needed ;)

Best regards,

Matthijs



On 7/8/19 11:01 AM, Ray Bellis wrote:
> For those not paying attention to the HTTP-bis working group, this DNS
> RR was proposed there last week.
> 
> It appears to subsume the ALT-SVC proposal and also covers the use case
> I had in mind with my HTTP Record draft (i.e. CNAME at the apex).
> 
> Given that it has someone from at least major browser vendor supporting
> it there's some hope that this will actually be implemented by them.  It
> therefore seems my draft is probably no longer required.  Hopefully
> ANAME will follow it the same way ;-)
> 
> Ray
> 
> -------- Forwarded Message --------
> Subject:     HTTPSSVC record draft
> Resent-Date:     Wed, 03 Jul 2019 18:46:25 +0000
> Resent-From:     ietf-http-wg@w3.org
> Date:     Wed, 3 Jul 2019 14:45:47 -0400
> From:     Erik Nygren <erik+ietf@nygren.org>
> To:     ietf-http-wg@w3.org Group <ietf-http-wg@w3.org>, Mike Bishop
> <mbishop@evequefou.be>, Erik Nygren <erik+ietf@nygren.org>, Benjamin
> Schwartz <bemasc@google.com>, Erik Nygren - Work <nygren@akamai.com>
> 
> 
> 
> 
> Ben, Mike, and I have submitted the first version of a proposal for an
> "HTTPSSVC" DNS record.
> 
> TL;DR:  This attempts to address a number of problems (ESNI, QUIC
> bootstrapping, HTTP-to-HTTPS redirection via DNS, SRV-equivalent for
> HTTP, etc) in a holistic manner through a new extensible DNS record,
> rather than in a piecemeal fashion.  It is based on some previous
> proposals such as "Alt-Svc in the DNS" and "Service Bindings" but takes
> into account feedback received in DNSOP and elsewhere.
> 
> Feedback is most welcome and we're looking forward to discussing with
> people in Montreal.
> 
> Draft link:
> 
> https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-01
> 
> 
> 
>  From the abstract:
> 
> This document specifies an "HTTPSSVC" DNS resource record type to
> facilitate the lookup of information needed to make connections for
> HTTPS URIs.  The HTTPSSVC DNS RR mechanism allows an HTTPS origin
> hostname to be served from multiple network services, each with
> associated parameters (such as transport protocol and keying material
> for encrypting TLS SNI).  It also provides a solution for the inability
> of the DNS to allow a CNAME to be placed at the apex of a domain name. 
> Finally, it provides a way to indicate that the origin supports HTTPS
> without having to resort to redirects, allowing clients to remove HTTP
> from the bootstrapping process.
> 
> By allowing this information to be bootstrapped in the DNS, it allows
> for clients to learn of alternative services before their first contact
> with the origin.  This arrangement offers potential benefits to both
> performance and privacy.
> 
> This proposal is inspired by and based on recent DNS usage proposals
> such as ALTSVC, ANAME, and ESNIKEYS (as well as long standing desires to
> have SRV or a functional equivalent implemented for HTTP).  These
> proposals each provide an important function but are potentially
> incompatible with each other, such as when an origin is load-balanced
> across multiple hosting providers (multi-CDN). Furthermore, these each
> add potential cases for adding additional record lookups in-addition to
> AAAA/A lookups.  This design attempts to provide a unified framework
> that encompasses the key functionality of these proposals, as well as
> providing some extensibility for addressing similar future challenges.
> 
> -- 
> 
> Some likely FAQs (with some others listed in an appendix):
> 
> Q: Why this is HTTP-specific?
> A: This is because every protocol has different bootstrap requirements. 
> This draft is concerned with improving the efficiency and security of
> bootstrapping HTTPS connections.  This proposal does offer room for
> non-HTTPS protocols, but the nature of DNS requires underscore prefixing
> to support protocol-keyed answers within a single RRTYPE. It's also
> unlikely that a single RR format would be the ideal bootstrap mechanism
> for every protocol, and there's no reason that multiple protocols should
> have to share an RRTYPE.
> Q: Why is ESNI addressed directly?
> A: This helps make a major motivation of this draft more clear. 
> Splitting out those sections to a separate-but-associated "alt-svc
> attribute for ESNI keys" draft might make sense, but keeping it here
> helps work through some of the issues together.
> 
> Q: Why does this try to address the HSTS case?
> A: This is a unique opportunity to fix HTTPS bootstrap and avoid
> providing insecure defaults.  We'd originally proposed a separate
> Alt-Svc attribute to indicate hsts-style behavior, but then realized
> that it would make sense to push on that as the default here.
> 
> Best, Erik
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop