Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt

Paul Wouters <paul@nohats.ca> Tue, 18 May 2021 21:35 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FF763A0FF0 for <dnsop@ietfa.amsl.com>; Tue, 18 May 2021 14:35:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FJKQR58FbpTR for <dnsop@ietfa.amsl.com>; Tue, 18 May 2021 14:35:46 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 608613A0FDD for <dnsop@ietf.org>; Tue, 18 May 2021 14:35:46 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4Fl8SH52KkzKML; Tue, 18 May 2021 23:35:43 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1621373743; bh=MeozaclTHWdcruwMOgsp8cFpJNBs0CLrrDzCf46KJVs=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=UKvnc8qhdf0Wv7PVEFzRja+BJQUWZEq7SY7x0o1EdyehMcgzu30SMDGwNZc+Ig9Ib +SwVul99nL2VDC+KefgtKuPL2xvam8ydWsDYA7i9uActYTmQYcjblecZclpBHp34P6 PX4Luc5wyqyP7rOBD9/U4UtHX8zJArWs5e0jnWZA=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id S6pL8wB0XFc9; Tue, 18 May 2021 23:35:42 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 18 May 2021 23:35:42 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id C82C75AF1F; Tue, 18 May 2021 17:35:40 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id BEB975AF1E; Tue, 18 May 2021 17:35:40 -0400 (EDT)
Date: Tue, 18 May 2021 17:35:39 -0400
From: Paul Wouters <paul@nohats.ca>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
cc: Brian Dickson <brian.peter.dickson@gmail.com>, dnsop <dnsop@ietf.org>
In-Reply-To: <CAHbrMsB1VeZjoCiTdsGkur-jm_Ce_pxFz7MfBWdNfaRftsWDuA@mail.gmail.com>
Message-ID: <2c99be10-e769-886d-63df-2186e9ddfb49@nohats.ca>
References: <7ADF1FB2-97A4-4C49-8F25-8BF03BE01640@hopcount.ca> <20210512213903.D5F1F7AA827@ary.qy> <CAMOjQcFJjcsvaREF0fr+2GTY4zTy5CxSxR16BEp=Nc-K9WJ0Tg@mail.gmail.com> <CAH1iCipAVKVCuH2ME=+YpeJyijrKCtzJaU3bRFyy1f48EB33iw@mail.gmail.com> <CAHbrMsCjWgV7nc575L_qdvr7HdoEVKqkXRwLdXA2L5NiCgdvwA@mail.gmail.com> <CAH1iCipW_-BSMQZ-S+m18pyzfxTGsCrmG9Pc-b35_VRiLhxh4w@mail.gmail.com> <CAHbrMsDvEkYAxee4xjW5LsQmr0PgBf+UmMAuME-_UvRMg4jJeA@mail.gmail.com> <CAH1iCiq4zJZBv5=f7T2EDRWKa7bAZx66SMKkf+AiDsDPTZokhQ@mail.gmail.com> <CAH1iCioNgQMjEZSeRdD3OmxPsboybF4XfcdwEC-hEjBLGA88XA@mail.gmail.com> <CAHbrMsAimEk-ubvAH8QsX=7amn5wm2a1sAyHhWox9nzOC2MofA@mail.gmail.com> <CAH1iCiq7V9p1-E7rTZCVn0+sEiV0oaumw=a71tsZK=-ERx7RtA@mail.gmail.com> <CAHbrMsB1VeZjoCiTdsGkur-jm_Ce_pxFz7MfBWdNfaRftsWDuA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/492zTKuqxozk3pG-j6ODZ-HmQb4>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2021 21:36:03 -0000

On Tue, 18 May 2021, Ben Schwartz wrote:

> That's essentially correct.  A client that only supports the default ALPN has no use for the "alpn" SvcParam.

Does the "default ALPN" mean "no support for the ALPN extension" ? Or
does it mean "Supports ALPN with the default XXXX" ? If so, what is
XXXX?

> My point is that SVCB mappings are IETF documents, complete with guidance, normative language, deviations, exceptions,
> etc.  The summary table in Appendix B is non-normative, and not connected to IANA in any way.  There is no registry of
> mappings.

This really looks like you are creating an IANA registry for keywords
used within SVCB records.

> Here is the same pair of records, using the two different encoding schemes:
> ;; pool HTTPS 1 h3pool alpn=h2,h3 ech="123..."

Why wouldn't this use:

 	pool HTTPS 1 h3pool alpn="h2,h3" ech="123..."

or:

 	pool HTTPS 1 h3pool alpn="h2,h3", ech="123..."

It is a little strange to me that some values are within quotes are
others are not. That really makes parsing (the presentation format)
harder.

> It also creates significant complexity for any future value that takes the form of an ordered list.

Security protocols are usually in the form of the initiator represents a
list (in whatever order) and the responder decides which it picks and
prefers from that set and uses that. Putting ordered lists in seems like
something the client in this case would mostly ignore as they will just
pretend not to support that is ordered at a higher preference in a list
in the DNS record?

But I did indicate already before that this RRtype is basically a
"security TXT" free flow record and it will surely lead to issues, yet
it seems unstoppable at this point anyway because of the milliseconds
for the advertisement auction gods.

> I did a quick test implementation, and the wire overhead was not a substantial increase, about 40%. 
> 
> This seems like a considerable increase for a high-traffic record type.

Well, you basically build a security protocol demultiplexer server HELLO
record that's not protected by a Finished message, whose protection
comes from DNSSEC but the people who want to run this at scale don't
want to do DNSSEC. As long as the message size is well within common
EDNS UDP packet size (with RRSIGs), then I think the size does not
matter.

Paul