IETF Logo Mail Archive

Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS

Tim Wicinski <tjw.ietf@gmail.com> Wed, 22 July 2020 19:30 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 019AA3A08F3 for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 12:30:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bxVPNsRvanb for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 12:30:03 -0700 (PDT)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBED33A07E5 for <dnsop@ietf.org>; Wed, 22 Jul 2020 12:30:02 -0700 (PDT)
Received: by mail-ot1-x335.google.com with SMTP id w17so2647222otl.4 for <dnsop@ietf.org>; Wed, 22 Jul 2020 12:30:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K9w5iDB/ZkJ6G2y5huIoNCRJbRJCJ6GcMnrRD7tj1as=; b=aYxL8BWAo+ppwCTj3WKrzgEsj6KZEzCCCCEJp9jT8UiuW4KisTE1ZJkG78thuNo5HX VOmQxWPaVM4XRI3QvFq/PfUaAvuz97psBdwZueSqar5s9sRBEc5ojvJ3lI95HFJSjQrI V7pBq5oJMIeeXJ7urMRYG8sQEbBjBVDkxAhE60QtyKexYLHyLaTcrOCKjIFfLlyhG/w2 I4i5CSYI3SBmGXZylgp4zigT+ruywD4TaYSGmyxZJBJA5xtdc/7d6FKniKY56B6NuO6l SRDG5CiVQIcwndFQodWsKleQY6PfESQGGt7+OsBVxiv/lCRfUPvQzSD8ID9XDoWFepl5 iEYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K9w5iDB/ZkJ6G2y5huIoNCRJbRJCJ6GcMnrRD7tj1as=; b=d9ad9daQMzZEzxkhKJueWVEW9wH6YGjkECx7nYcfSxkWkNUFn0K4Lb7DJk5Tab7aKE nl0gpwxB19vWKn3ealiaAc9Rzhff/VNRZKg4EvPG7HOylydWldxoY4t1fbK3hpq/tm3v YUhG/KpRRmv1+HlnfVvw2NOUPVDmfj87yA7ryFPB6dAs+vDIeFbDtS545xJ7f0obUkp3 7MU5j0oB41zvz+nJBk5Hnyv7VjOW2sgs7+3R2e1fQdC5OLnS4XXyitg4z7SjYS9YhLl3 aMJr0sRZZcdxN20uUzS88KFfzXPuw/RWB1cMkQeII7cnKdsiuEZel5TPUVi45MD1dp0t pb2g==
X-Gm-Message-State: AOAM533hDvu/A/ut6Oan6rMZXRaFoekiOy21c7yOAHy5gwFgdhF1xz+m hpcGxovCXApmz5LSwlWGpju6pjkYcOirERyDGjk=
X-Google-Smtp-Source: ABdhPJymrHfrD2QNZsDgZ/HiuqRu6mwp2PeZuJJG7x1/y88VhuRvesX1QCwryXeVICbcEOP4XIb5UD7TIaAXFAZ1W3U=
X-Received: by 2002:a05:6830:3141:: with SMTP id c1mr1288993ots.41.1595446201997; Wed, 22 Jul 2020 12:30:01 -0700 (PDT)
MIME-Version: 1.0
References: <20200716151356.GA60024@wakko.flat11.house> <18174930-D601-462A-BB4E-E994DB2EB4B9@isc.org> <20200716172604.GA65961@wakko.flat11.house> <E80B5A6A-9EB1-497B-81C1-2FA67012FAD3@isc.org>
In-Reply-To: <E80B5A6A-9EB1-497B-81C1-2FA67012FAD3@isc.org>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Wed, 22 Jul 2020 15:29:50 -0400
Message-ID: <CADyWQ+HjVd1A8PxTWDaU8c0LxR9SbyW=Th3V-_U2Vd447H3PUQ@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Alessandro Ghedini <alessandro@ghedini.me>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000020e00d05ab0cc459"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AZIGBXzoFZhafESl12zXEJCUgAk>
Subject: Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2020 19:30:05 -0000

Alessandro

Thanks for letting us know about this.

But to follow up on what Mark says. If Cloudflare isn't planning on
returning them, I'd like to understand the reasons why.

tim


On Thu, Jul 16, 2020 at 8:12 PM Mark Andrews <marka@isc.org> wrote:

>
>
> > On 17 Jul 2020, at 03:26, Alessandro Ghedini <alessandro@ghedini.me>
> wrote:
> >
> > On Fri, Jul 17, 2020 at 01:37:35AM +1000, Mark Andrews wrote:
> >> Do you have a estimate on when you will enable additional section
> processing for these records?
> >
> > Not sure I understand the question. Do you mean authoritative servers
> adding
> > A/AAAA records to additional section of HTTPS responses?
> >
> > Cheers
>
> Yes.  At the moment there will be lots of redundant queries being made. A,
> AAAA
> and HTTPS/SVBC for every level of the chain. If HTTPS/SVBC aware servers
> actually
> return A and AAAA records for service form records, we can reduce the
> number of
> queries that need to be made.
>
> We need to get to the state where HTTPS/SVBC alias form always reaches a
> HTTPS/SVBC
> service form.  When we are mostly in that state we can stop doing A and
> AAAA queries
> along side the HTTPS/SVBC query for names in the HTTPS/SVBC alias form and
> take the
> RTT hit on the occasional NODATA response.  To get to that state we need
> the DNS
> servers of the content providers to be HTTPS/SVBC aware and to populate
> the additional
> section whenever possible.
>
> BIND’s HTTPS/SVBC implementation adds A, AAAA, CNAME, and HTTPS/SVBC
> records and
> looks for them in the response.  I would expect all HTTPS/SVBC aware
> clients to
> look for these records in the response.  At the moment we don’t look for
> DNAME in
> the additional section nor do we add it because, quite frankly, they
> should not be
> there in any sensible deployment.  DNAME in the answer section is expected.
>
> Mark
>
> >>> On 17 Jul 2020, at 01:13, Alessandro Ghedini <alessandro@ghedini.me>
> wrote:
> >>>
> >>> Hello,
> >>>
> >>> Just a quick note that we have started serving "HTTPS" DNS records from
> >>> Cloudflare's authoritative DNS servers. Our main use-case right now is
> >>> advertising HTTP/3 support for those customers that enabled that
> feature (in
> >>> addition to using Alt-Svc HTTP headers).
> >>>
> >>> If anyone is interested in trying this out you can query pretty much
> all domains
> >>> served by Cloudflare DNS for which we terminate HTTP.
> >>>
> >>> For example:
> >>>
> >>>  % dig blog.cloudflare.com type65
> >>>
> >>> ; <<>> DiG 9.16.4-Debian <<>> blog.cloudflare.com type65
> >>> ;; global options: +cmd
> >>> ;; Got answer:
> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17291
> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> >>>
> >>> ;; OPT PSEUDOSECTION:
> >>> ; EDNS: version: 0, flags:; udp: 4096
> >>> ;; QUESTION SECTION:
> >>> ;blog.cloudflare.com.               IN      TYPE65
> >>>
> >>> ;; ANSWER SECTION:
> >>> blog.cloudflare.com.        300     IN      TYPE65  \# 76
> 000100000100150568332D32390568332D32380568332D3237026832
> 0004000868121A2E68121B2E00060020260647000000000000000000
> 68121A2E26064700000000000000000068121B2E
> >>>
> >>> Cheers
> >>>
> >>> _______________________________________________
> >>> DNSOP mailing list
> >>> DNSOP@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/dnsop
> >>
> >> --
> >> Mark Andrews, ISC
> >> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> >> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> >>
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email