IETF Logo Mail Archive

Re: [DNSOP] [Ext] Questions / concerns with draft-ietf-dnsop-svcb-https (in RFC Editor queue)

Tommy Pauly <tpauly@apple.com> Thu, 01 September 2022 03:00 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D3F0C1522A6; Wed, 31 Aug 2022 20:00:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.677
X-Spam-Level:
X-Spam-Status: No, score=-7.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Em_qoBmWlzOO; Wed, 31 Aug 2022 20:00:47 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp01.apple.com (ma1-aaemail-dr-lapp01.apple.com [17.171.2.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68E04C14CF02; Wed, 31 Aug 2022 20:00:47 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp01.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp01.apple.com (8.16.0.42/8.16.0.42) with SMTP id 2812xH0v022836; Wed, 31 Aug 2022 20:00:45 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=CS9D6i/h5vkXmNJMmiOwwek06+7ey4NY59sfcto2OZI=; b=f65aa1kwOEuBexHipLV5vIee6lbiC65+G5GxPQsbvwLDOUEGxzCQ1layPjvSs8NgRFLW 5npingEuhMV/KHMByQIu2iAaPeUi/1By9PwXyvynkcYsJ883p5WU+uWYYWspclMHQJdC yfXTtXItUqr7ZFQi3AWcviESvuIJGkRu4/RG6ck+Wf9RzGjuiQT9BbG3TnXZ0uEViDsA n6h02MO6TIoBR2eYEtw1OozF7ja/9C170qJUCW9Mz/oadFyLNPEr7dVEViBZEF9BaqI8 CsFKb71Sl5mPcFAjpeUWeroTvS/MOK8/FaICEZvVy0Kzc52eEy3TZiTBbwg3tdA0qNBJ IQ==
Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by ma1-aaemail-dr-lapp01.apple.com with ESMTP id 3j7hx36jff-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 31 Aug 2022 20:00:45 -0700
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) with ESMTPS id <0RHI00MOHGD91LD0@rn-mailsvcp-mta-lapp02.rno.apple.com>; Wed, 31 Aug 2022 20:00:45 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) id <0RHI00L00G3OKC00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Wed, 31 Aug 2022 20:00:45 -0700 (PDT)
X-Va-A:
X-Va-T-CD: d6e576b20903c5e48c0dd148563c9492
X-Va-E-CD: 18c0ace60e2717b418ad4807c7423e4a
X-Va-R-CD: 4e8bda45b7224c98fc12eb5cf9468d2c
X-Va-CD: 0
X-Va-ID: 3b443ab8-6daa-490b-bbc8-c8a7ea7136f9
X-V-A:
X-V-T-CD: d6e576b20903c5e48c0dd148563c9492
X-V-E-CD: 18c0ace60e2717b418ad4807c7423e4a
X-V-R-CD: 4e8bda45b7224c98fc12eb5cf9468d2c
X-V-CD: 0
X-V-ID: 09b2e4c2-56de-4774-b8d8-8b3086197ec5
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.895 definitions=2022-09-01_01:2022-08-31, 2022-09-01 signatures=0
Received: from smtpclient.apple (unknown [17.11.181.239]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) with ESMTPSA id <0RHI002OCGD8R300@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Wed, 31 Aug 2022 20:00:45 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <0203FD85-487D-4B64-88BF-818B5BE0BC70@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_EC2F4C11-5276-40B0-905C-CE24E877D19C"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3730.0.21\))
Date: Wed, 31 Aug 2022 20:00:34 -0700
In-reply-to: <CAH1iCipoo2u2h8XtJp8iwrg-bonMC785RehC3bVzbMKaLv+Kpg@mail.gmail.com>
Cc: Warren Kumari <warren@kumari.net>, draft-ietf-dnsop-svcb-https.all@ietf.org, "dnsop@ietf.org WG" <dnsop@ietf.org>
To: Brian Dickson <brian.peter.dickson@GMAIL.COM>
References: <CAHw9_iKZJndu1100LBU3TiuhF9ACb0As2deA1oZWD2eA46tBbA@mail.gmail.com> <CAH1iCiqryY=u6MN2mkf7krHLmc7TQkoDaXe0k=ZZ+0e9uiMb-Q@mail.gmail.com> <YwaQrnoA3hifxCQW@straasha.imrryr.org> <CAMOjQcEcKQSWvb_LqmfkGwZ2dt_561jLZxHTMuMO0pMy2s9mbw@mail.gmail.com> <CAH1iCirnWdDY0p2-grQKN3PQWOM=JLevxbNskFFEzGwHvisGZA@mail.gmail.com> <B024358C-77FD-4E63-8E18-1CBCEA6C6B14@icann.org> <CAH1iCiry3VDS+dM+wEkPH5a_TSt5pEddxPjKOhL9_M20e_dR0A@mail.gmail.com> <8B970775-22CF-403B-9B8A-84DCC0932D76@icann.org> <CAHbrMsC_RO1J6qp_yOWOc3P4zpZ-cOCB6adXRwjoSQP7_yrWug@mail.gmail.com> <CAH1iCiqzeZORDmbE+XMs1wt6YZKYFZWnsnrvN8fbLHpFXEfDfw@mail.gmail.com> <CAHbrMsDSbDapPFFfhU1iyi5BpEjb8NA7WXz+1pu78dGnuVkNzg@mail.gmail.com> <CAH1iCiojyT47nvNqeCkz8X4ueY0y_fp11BNEoV6WMuWx639_Dg@mail.gmail.com> <CAH1iCipRjnvs71iiK1aaMKj98P65-NqKSL4+XfmMA_MsU9_JNg@mail.gmail.com> <CAHw9_iJg7yTECPbPvSNxac21My4SqPjMjhYS4tFRWBzFmjkLjg@mail.gmail.com> <CAH1iCipoo2u2h8XtJp8iwrg-bonMC785RehC3bVzbMKaLv+Kpg@mail.gmail.com>
X-Mailer: Apple Mail (2.3730.0.21)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.895 definitions=2022-09-01_01:2022-08-31, 2022-09-01 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4fJSc6-t4I9NzwbPonANuVH_o1A>
Subject: Re: [DNSOP] [Ext] Questions / concerns with draft-ietf-dnsop-svcb-https (in RFC Editor queue)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2022 03:00:51 -0000

I don’t personally find this proposal to be an improvement for clarity.

The fact that a client is SVCB-optional means, somewhat by definition, that they allow not using the SVCB results. Saying that the client “MAY” doesn’t really help; it’s the very definition of what SVCB-optional is. If the client doesn’t use non-SVCB connection modes at that point, then it is SVCB-reliant.

Listing out the details of what a non-SVCB connection does (not using the information from the SVCB record) also seems redundant. It is more accurate to just say “don’t use anything from SVCB if SVCB didn’t work” rather than trying to list out what all of those details might be.

Tommy

> On Aug 31, 2022, at 4:13 PM, Brian Dickson <brian.peter.dickson@GMAIL.COM> wrote:
> 
> So, here is my suggestion, for "a sentence (or possibly two) which only clarify what is already written?":
> 
> In section 3:
>    If the client is SVCB-optional, and connecting using this list of
>    endpoints has failed, the client now attempts to use non-SVCB
>    connection modes.
> becomes:
>    If the client is SVCB-optional, and connecting using this list of
>    endpoints has failed, the client MAY attempt to use non-SVCB
>    connection modes, using the origin name (without prefixes),
>    the authority endpoint's port number, and no SvcParams.
> 
> (The original didn't use RFC 2119 language, but the list of failure modes in 3.1 leads to "MAY" being the most appropriate choice.)
> 
> Let me know if that is good enough.
> (The rest can go into a -bis... how soon are we allowed to start a -bis document? The day of RFC publication? I'd like to start that as soon as possible, while everything is still fresh.)
> 
> Brian
> 
> On Wed, Aug 31, 2022 at 6:25 AM Warren Kumari <warren@kumari.net <mailto:warren@kumari.net>> wrote:
>> 
>> 
>> 
>> 
>> On Wed, Aug 31, 2022 at 4:39 AM, Brian Dickson <brian.peter.dickson@gmail.com <mailto:brian.peter.dickson@gmail.com>> wrote:
>>> Here are some proposed text changes, per Warren's invitation to send text:
>> 
>> 
>> 
>> Um, no.  Warren said: "can we craft a sentence (or possibly two) which only clarify what is already written?". This is a significantly larger set of changes than that. The Section 3 changes in particular are (IMO) much more than a clarification. 
>> 
>> These may or may not be good changes, but anything approaching that level of change would have to be in a -bis document…
>> 
>> W
>> 
>> 
>>> 
>>> In section 1.2, change:
>>> 2.  TargetName: The domain name of either the alias target (for
>>>        AliasMode) or the alternative endpoint (for ServiceMode).
>>> to:
>>> 2.  TargetName: Either the domain name of the alias target (for
>>>        AliasMode) or the host name of the alternative endpoint (for ServiceMode).
>>> 
>>> In section 2.4.2, change:
>>>    As legacy clients will not know to use this record, service operators
>>>    will likely need to retain fallback AAAA and A records alongside this
>>>    SVCB record, although in a common case the target of the SVCB record
>>>    might offer better performance, and therefore would be preferable for
>>>    clients implementing this specification to use.
>>> to:
>>>    As legacy clients will not know to use this record, service operators
>>>    will likely need to retain fallback AAAA and A records at the service name,
>>>    although in a common case the target of the SVCB record
>>>    might offer better performance, and therefore would be preferable for
>>>    clients implementing this specification to use.
>>> 
>>> In section 2.4.3, change:
>>>    In ServiceMode, the TargetName and SvcParams within each resource
>>>    record associate an alternative endpoint for the service with its
>>>    connection parameters.
>>> to:
>>>    In ServiceMode, the TargetName and SvcParams within each resource
>>>    record associate an alternative endpoint for the service with its
>>>    connection parameters. The TargetName MUST be a host name
>>>    (as defined in [DNSTerm].)
>>> 
>>> In section 3, the following changes are proposed; they introduce a new term LASTNAME to be used to disambiguate the $QNAME reference so as to remove ATTRLEAF prefixes from the appended target:
>>> 
>>>    1.  Let $QNAME be the service name plus appropriate prefixes for the
>>>        scheme (see Section 2.3).
>>> becomes:
>>>    1.  Let $QNAME be the service name plus appropriate prefixes for the
>>>        scheme (see Section 2.3). Let $LASTNAME be the service name without any prefixes.
>>> 
>>> 
>>>    3.  If an AliasMode SVCB record is returned for $QNAME (after
>>>        following CNAMEs as normal), set $QNAME to its TargetName
>>>        (without additional prefixes) and loop back to step 2, subject to
>>>        chain length limits and loop detection heuristics (see
>>>        Section 3.1).
>>> becomes:
>>>    3.  If an AliasMode SVCB record is returned for $QNAME (after
>>>        following CNAMEs as normal), set $QNAME to its TargetName
>>>        (without additional prefixes), set $LASTNAME to this new $QNAME and loop back to step 2, subject to
>>>        chain length limits and loop detection heuristics (see
>>>        Section 3.1).
>>> 
>>>    Once SVCB resolution has concluded, whether successful or not, SVCB-
>>>    optional clients SHALL append to the priority list an endpoint
>>>    consisting of the final value of $QNAME, the authority endpoint's
>>>    port number, and no SvcParams.  (This endpoint will be attempted
>>>    before falling back to non-SVCB connection modes.  This ensures that
>>>    SVCB-optional clients will make use of an AliasMode record whose
>>>    TargetName has A and/or AAAA records but no SVCB records.)
>>> becomes:
>>>    Once SVCB resolution has concluded, whether successful or not, SVCB-
>>>    optional clients SHALL append to the priority list an endpoint
>>>    consisting of the final value of $LASTNAME, the authority endpoint's
>>>    port number, and no SvcParams.  (This endpoint will be attempted
>>>    before falling back to non-SVCB connection modes.  This ensures that
>>>    SVCB-optional clients will make use of an AliasMode record whose
>>>    TargetName has A and/or AAAA records but no SVCB records.)
>>> 
>>>    If the client is SVCB-optional, and connecting using this list of
>>>    endpoints has failed, the client now attempts to use non-SVCB
>>>    connection modes.
>>> becomes:
>>>    If the client is SVCB-optional, and connecting using this list of
>>>    endpoints has failed, the client MAY attempt to use non-SVCB
>>>    connection modes, using the origin name (without prefixes),
>>>    the authority endpoint's port number, and no SvcParams.
>>> 
>>> One additional suggested addition to the end of section 3.1 is:
>>>    If DNS responses are cryptographically protected, and at least
>>>    one HTTPS AliasMode record has been received successfully,
>>>    clients MAY apply Section 9.5 (HSTS equivalent) restrictions
>>>    even when reverting to non-SVCB connection modes. Clients
>>>    also MAY treat resolution or connection failures subsequent
>>>    to the initial cryptographically protected AliasMode record
>>>    as fatal.
>>> [Brian's note: this last would provide some guidance to implementers of clients: a signed HTTPS AliasMode record is a strong signal that the DNS operator is discouraging fallback, albeit at a "MAY" level.]
>>> 
>>> NB: The 2.4.3 change could be removed as it is mostly independent, as could the last addition to 3.1. 
>>> The 1.2 change is very minor, is not too important but presents a succinct clarification on the hostname vs domain name thing.
>>> The 2.4.2 change and section 3 changes together are fixes for the prefix/no-prefix issue (which was basically a scrivener's error, and does not change the semantics at all.) They should stay or go as one unit.
>>> 
>>> Brian
>>> 
>>> On Tue, Aug 30, 2022 at 12:08 AM Brian Dickson <brian.peter.dickson@gmail.com <mailto:brian.peter.dickson@gmail.com>> wrote:
>>>> 
>>>> 
>>>> On Sat, Aug 27, 2022 at 3:00 PM Ben Schwartz <bemasc@google.com <mailto:bemasc@google.com>> wrote:
>>>>> 
>>>>> 
>>>>> On Fri, Aug 26, 2022 at 10:49 PM Brian Dickson <brian.peter.dickson@gmail.com <mailto:brian.peter.dickson@gmail.com>> wrote:
>>>>>> 
>>>>>>  Fail fast may not be appealing, but in some (probably the majority of) cases, it may be the most correct option.
>>>>>> 
>>>>>> It may also be the case that the zone owner knows whether this is the case.
>>>>>> I think it is much more likely that explicitly declaring the situation (if known) is more useful than having several billion clients independently attempting to infer whether the first option will even work, let alone provide a useful alternative to the second or third.
>>>>> 
>>>>> In fact, there is one way for the zone owner to disable fallback: enable ECH.  Fallback is not compatible with ECH, so ECH-aware clients will disable fallback when the ServiceMode records contain ECH.
>>>>> 
>>>> 
>>>> Wait, what?
>>>> 
>>>> This whole discussion was raised from the perspective of zone owners publishing AliasMode apex records.
>>>> Those owners would not be operating the CDN, which is the whole point of using a CNAME or AliasMode.
>>>> I.e., the zone owner would be the one wanting to disable fallback, but would not be in a position to do what you suggest.
>>>> 
>>>> The domain's contents are served via a CDN, where the CDN requires delegation of control, most often with CNAME (or AliasMode at the apex).
>>>> The ServiceMode records are placed on the CDN operated zone (in order to avoid the first connection to establish the AltSvc stuff).
>>>> 
>>>> The AliasMode record cannot be combined with ECH, since no SvcParams are allowed. The zone owner is not using ServiceMode, that is the declared assumption.
>>>> 
>>>> If that (ECH) is the only way to disable fallback, that's what the focused discussion needed to elicit, and I think some slight adjustments are needed to at least facilitate zone owners preventing fallback. The mechanism doesn't need to be added to the draft, but likely would get put into a separate draft or a -bis document. However, there needs to be some daylight between the fallback method and the mandatory SVCB/HTTPS components, in order to allow for that development.
>>>> 
>>>> BTW, the concern is less about singleton zone owners than it is about large scale integrated DNS management of zones in order to accommodate CDN usage.
>>>> 
>>>> Note also, this issue is not strictly limited to vertical integration among products/services of the DNS operator; there are large scale inter-provider (DNS and other services) open partnerships (controlled by their mutual customers) that have need for the programmatic ability to assign CDNs and enable/disable fallback (if fallback is part of the specification).
>>>> (For those interested, the not-yet-an-IETF standard for interoperability between DNS and service providers is Domain Connect. The intent is to revive the draft for that, which previously lived in the REGEXT WG.)
>>>> 
>>>> I think converting the fallback in the draft into MAY, and having active discussions, dev, test, and deployment on a voluntary basis outside of the scope of the current draft, is the fastest path to solving the "no fallback" signaling issue, and to getting the draft published (with a few minor tweaks).
>>>> 
>>>> I'll review the other comments, as well as Warren and Viktor's recent messages, and see if I can come up with some proposed text to make very limited changes to the draft.
>>>> 
>>>> Brian
>> 
>> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email