IETF Logo Mail Archive

Re: [DNSOP] SVCB chain lengths

Eric Orth <ericorth@google.com> Mon, 23 December 2019 20:22 UTC

Return-Path: <ericorth@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28325120059 for <dnsop@ietfa.amsl.com>; Mon, 23 Dec 2019 12:22:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QDkTbCry4-tG for <dnsop@ietfa.amsl.com>; Mon, 23 Dec 2019 12:22:15 -0800 (PST)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 769D112004C for <dnsop@ietf.org>; Mon, 23 Dec 2019 12:22:15 -0800 (PST)
Received: by mail-wm1-x32b.google.com with SMTP id d73so607282wmd.1 for <dnsop@ietf.org>; Mon, 23 Dec 2019 12:22:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=kgq34l3gK20BjAgsySvhuwsChq215po9KgokTN+gxJA=; b=EJOFWzo1VJ16PQ6tvxG7OrX4mbtELANqN3l5hF5ejT5FgheLV0SQT5ZGyrjI+QrPBh xpA0/fJKf3pf0bG3uXN3iVH82LLLE86eTISDfHStCemdTuVthGZaP/9TXXYntX7AcC4O XipbUH0LNsAol5uJsHXZC63KEotPXfJu7ODhVOKOPvWJGIT36nMl6zMmf+3GPcuqkjMb aHtR3xvcJkC+Fyj9und0fUmr7O1eyhjH8wgWrYHFCfsIFmfvWXjhJJPJGMCmrIHY0HH3 dc2nwqa4xG+8sgij6xjPElVkLOLSad68fzcDGf/7z8N8aHoHE3+RosGOEb49WLkuTqRr g2KA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=kgq34l3gK20BjAgsySvhuwsChq215po9KgokTN+gxJA=; b=XlILJGi+RSp8Mn0CBAFZc2uqg8NCWDNt+lco90x9uQOGRT2+elp8QrZRi6oef3ZRn6 zHFkfFsTClCdEQ8YjXuypTnaOaczenlpLdU8CbvIg9lPJ+5YALVvWWfuEgSDvPZiaEHA zTOmjkUw8vJ1JdmEtmn4avGfzx6z4sQl/O/sw9keV/XzQzLssYq8Tkiay+hHYjq5Y9M/ 6uzS+mVWvgUBCCRgxC2iVt1Tln/wssX7NLHpoSdEtSEFfjD/69bPRJGQzkcTmNpAz7Ws yzraETUkvKjCABADbBDiKxVVGM+g46qFBd5oRyv5Fg1ya3u2isYEteBMwOP6ziaEhRX0 03Pw==
X-Gm-Message-State: APjAAAW8mX3eYL83H+2d0FVTN4nzRPUB155nZLPrBvIt+4vIfEJG7PcW 3Kkv5WVGYsd8ug/Q5LMvkz7ZWbUi9/Up+0kuUDcUKP3X3v4=
X-Google-Smtp-Source: APXvYqw2t7Ip7UfjtCvGK2qYSRdh3ggzoD6vehywD2ADfA7bCWV+thsJb3utAFQrVQier8/MPGi89oFccfSOcq3qN9M=
X-Received: by 2002:a1c:407:: with SMTP id 7mr520713wme.29.1577132533395; Mon, 23 Dec 2019 12:22:13 -0800 (PST)
MIME-Version: 1.0
References: <CAMOjQcGP3=+_fb9pt3dvF27kR1ENH+=2L28EDNPQU6JF8zkrzQ@mail.gmail.com> <CAH1iCirdFrT_v-FBqaC=WUfaY52DyeYLh5VWbeVsw2YwscDCpA@mail.gmail.com> <CAHbrMsBAmQU-xduT3E4_sHaqrpsdZ_YfdEtgoNB4kti4jDCvdQ@mail.gmail.com> <CAH1iCip0iY8Mt8=HC0-V8jF=D=BGcs54xUMu4Rkbe47FFxGyuA@mail.gmail.com>
In-Reply-To: <CAH1iCip0iY8Mt8=HC0-V8jF=D=BGcs54xUMu4Rkbe47FFxGyuA@mail.gmail.com>
From: Eric Orth <ericorth@google.com>
Date: Mon, 23 Dec 2019 15:22:01 -0500
Message-ID: <CAMOjQcG2YOBa1X7ZqAUpDG0Cwr+nOzmy-bKJmbqaQEqrcTOCAQ@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006b03fb059a64c83a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AXkrn3vDxZ4K23DRoVE7elQ6bxM>
Subject: Re: [DNSOP] SVCB chain lengths
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Dec 2019 20:22:17 -0000

Maybe it would help if we scoped down any chain limiting:

1) Any chain limiting only applies to SVCB alias form, not CNAME.

CNAMEs already exist without a standardized limit.  Good or bad, too late
to change that without breaking things.  SVCB alias chains, as well as
aliasing apex names, are new and thus currently limited to zero.

2) Any chain limiting enforcement only applies to stubs following chains,
not recursives.

Recursives are already following CNAMEs without a standardized limit.
Speaking for the one stub resolver I know well, Chrome DNS, we don't
currently directly follow any CNAME links, relying on the recursive to do
it for us.  So the current CNAME chain limit in Chrome is also zero.  Any
chain following at all, CNAME or SVCB alias, is an increase of our current
practical limit of zero.

SVCB-aware recursives could resolve the chain without limit as they
currently do with CNAME.  Unlimited chain following anywhere seems
non-ideal to me, but my expertise is not on the recursive side so maybe
it's completely reasonable.  But if we're relying on the stubs to follow
chains (that may not have been followed there at all before) to account for
SVCB-unaware recursives, we should empower them to use chain limits
reasonable for them.  Being typically further away from results and with
less caching, unlimited chain following just does not seem reasonable for a
stub like Chrome, and it seems to us to have a big potential to be
detrimental to our users' experiences compared to the status quo of not
following any chains.

This point of scoping down is partly in response to Brian Dickson's reply
that SVCB alias should be first class and at least as powerful as CNAME.
Limiting chains in stubs makes chains practically limited everywhere for
most general cases because authoritatives will want to support the cases
where the recursive is SVCB-unaware.  But if there's going to be some "Flag
Day" by which all the recursives we care about add SVCB support without
limit, that will be the point after which the practical limit will be gone
and SVCB aliasing becomes fully empowered as a CNAME substitute.

3) Any chain limiting only applies to HTTPSSVC, not SVCB.

HTTPSSVC is a much more specific area where the usecases are more
understood.  I think when we say we don't see any usecases where needing
more than one alias makes sense, we're really only talking about the
well-understood HTTPS cases.  Anything else using SVCB is more generic and
hard to pin down whether or not any limits make sense or would be
reasonable.

And when you scope down chain limiting to just HTTPSSVC, the arguments
become less valid that aliasing could point to other organizations without
coordination over whether or not the one allowed alias is yet used.  In
HTTPS, the end server needs the cert for the domain.  There should be
coordination and trust between organizations in the alias chain, and the
organizations should be able to coordinate who is in charge of aliasing
from an apex domain.

>

v2.23.0 | Report a Bug | By Email