Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
Mark Andrews <marka@isc.org> Fri, 17 July 2020 00:11 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA7163A0E4B for <dnsop@ietfa.amsl.com>; Thu, 16 Jul 2020 17:11:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dFW8_EFQnJVJ for <dnsop@ietfa.amsl.com>; Thu, 16 Jul 2020 17:11:38 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82EEF3A0E46 for <dnsop@ietf.org>; Thu, 16 Jul 2020 17:11:38 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 1D85F3AB001; Fri, 17 Jul 2020 00:11:38 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 1202F160054; Fri, 17 Jul 2020 00:11:38 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 03D1716003D; Fri, 17 Jul 2020 00:11:38 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id hg4yutqbjJ7b; Fri, 17 Jul 2020 00:11:37 +0000 (UTC)
Received: from [1.0.0.3] (unknown [49.2.181.130]) by zmx1.isc.org (Postfix) with ESMTPSA id 341AF16005A; Fri, 17 Jul 2020 00:11:37 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.6\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <20200716172604.GA65961@wakko.flat11.house>
Date: Fri, 17 Jul 2020 10:11:33 +1000
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E80B5A6A-9EB1-497B-81C1-2FA67012FAD3@isc.org>
References: <20200716151356.GA60024@wakko.flat11.house> <18174930-D601-462A-BB4E-E994DB2EB4B9@isc.org> <20200716172604.GA65961@wakko.flat11.house>
To: Alessandro Ghedini <alessandro@ghedini.me>
X-Mailer: Apple Mail (2.3445.9.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7GyvN05obVWuwfgV1y538Um8YYw>
Subject: Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2020 00:11:40 -0000
> On 17 Jul 2020, at 03:26, Alessandro Ghedini <alessandro@ghedini.me> wrote: > > On Fri, Jul 17, 2020 at 01:37:35AM +1000, Mark Andrews wrote: >> Do you have a estimate on when you will enable additional section processing for these records? > > Not sure I understand the question. Do you mean authoritative servers adding > A/AAAA records to additional section of HTTPS responses? > > Cheers Yes. At the moment there will be lots of redundant queries being made. A, AAAA and HTTPS/SVBC for every level of the chain. If HTTPS/SVBC aware servers actually return A and AAAA records for service form records, we can reduce the number of queries that need to be made. We need to get to the state where HTTPS/SVBC alias form always reaches a HTTPS/SVBC service form. When we are mostly in that state we can stop doing A and AAAA queries along side the HTTPS/SVBC query for names in the HTTPS/SVBC alias form and take the RTT hit on the occasional NODATA response. To get to that state we need the DNS servers of the content providers to be HTTPS/SVBC aware and to populate the additional section whenever possible. BIND’s HTTPS/SVBC implementation adds A, AAAA, CNAME, and HTTPS/SVBC records and looks for them in the response. I would expect all HTTPS/SVBC aware clients to look for these records in the response. At the moment we don’t look for DNAME in the additional section nor do we add it because, quite frankly, they should not be there in any sensible deployment. DNAME in the answer section is expected. Mark >>> On 17 Jul 2020, at 01:13, Alessandro Ghedini <alessandro@ghedini.me> wrote: >>> >>> Hello, >>> >>> Just a quick note that we have started serving "HTTPS" DNS records from >>> Cloudflare's authoritative DNS servers. Our main use-case right now is >>> advertising HTTP/3 support for those customers that enabled that feature (in >>> addition to using Alt-Svc HTTP headers). >>> >>> If anyone is interested in trying this out you can query pretty much all domains >>> served by Cloudflare DNS for which we terminate HTTP. >>> >>> For example: >>> >>> % dig blog.cloudflare.com type65 >>> >>> ; <<>> DiG 9.16.4-Debian <<>> blog.cloudflare.com type65 >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17291 >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >>> >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags:; udp: 4096 >>> ;; QUESTION SECTION: >>> ;blog.cloudflare.com. IN TYPE65 >>> >>> ;; ANSWER SECTION: >>> blog.cloudflare.com. 300 IN TYPE65 \# 76 000100000100150568332D32390568332D32380568332D3237026832 0004000868121A2E68121B2E00060020260647000000000000000000 68121A2E26064700000000000000000068121B2E >>> >>> Cheers >>> >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop >> >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: marka@isc.org >> -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Tim Wicinski
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Wellington, Brian
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Tommy Pauly
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Wellington, Brian
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Tim Wicinski
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Ben Schwartz
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Wellington, Brian
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Wellington, Brian
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Petr Špaček
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Dick Franks
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Brian Dickson
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Jared Mauch
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Ben Schwartz
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Ben Schwartz
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews