IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-https-05.txt

Ben Schwartz <bemasc@google.com> Wed, 21 April 2021 18:59 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ACBF3A3306 for <dnsop@ietfa.amsl.com>; Wed, 21 Apr 2021 11:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qwa4V9zSW0MO for <dnsop@ietfa.amsl.com>; Wed, 21 Apr 2021 11:59:08 -0700 (PDT)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 084A43A3305 for <dnsop@ietf.org>; Wed, 21 Apr 2021 11:59:07 -0700 (PDT)
Received: by mail-wm1-x334.google.com with SMTP id p10-20020a1c544a0000b02901387e17700fso1776588wmi.2 for <dnsop@ietf.org>; Wed, 21 Apr 2021 11:59:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=j4jw+g39x1ahioVLhlrvFMFlFlL7908F0qumXt8wXrg=; b=NyuLpWjisT3n6Qf44uwDFYM1ccwpo18PQ9+fE0xwOEbbsztPuOeS4kaDo35D3fMmnb bOpuQXvUkgggbouNhzXLI6K00Syzgi+FEyd+BDvOiO1wCnpzZMn6fR7WcNnSl4d1LH3u p9A5fcO+I6RzpgezaqZzcSJ97QYZMao9rh6z48yPD+G9mJ/ad/DZ4t8Dra2QebQWNmul LvA/J5Xdz4kmORHx2Aj7a9uPyHOc0kDatF1VwoC0UU/5w/I7RfzTHRikDUx0FeZ44c9f nd0P+Xup4LRK5FZL9zbMpTqYDqXGB0qK/s+wjp7y/top4p9QCXYDaGfiS6Mnu1SMbYFt EiGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=j4jw+g39x1ahioVLhlrvFMFlFlL7908F0qumXt8wXrg=; b=qhxX9s/alTdclGkW/3H4VaQtkXrFixSAOSYzYrMFrKQsYGEpjFumxJmkhDKJFCSVyt 3xkJXJMZ3i9PtdMbDR7U/OXtbDwdamV/d1+nBAgN3Ng0wf8cOQjfRIKrxCgpW+kE2QIw grmuKDOxG7WAhLoMKSbKDx8WCW6kxG3+1E6/KWar5XgkUhvVZvTVshlwsKREO9Ztu5hV VBNj1kKJ1KrhceiEd1bqfRhd4ToJM1lccVrxLDQtWpzRtXvdRlN/lQLkCV3efh5PZ70l Bi/mcA5BoPCBluDupGf1OQiYPbtGgptn71+9pCNKQk4R3GocQFUcWmod02HiDFdIIgYw kteA==
X-Gm-Message-State: AOAM532Ba3hmi4F3wsXdOO/cC19LOegH13vT+Gyos1A6zSr0xmD5w97l LUo2LPt5FvAQEdqOxJ1w4s1Lnv+tzzGNh8GdQ8hCTO/EzVXkmA==
X-Google-Smtp-Source: ABdhPJxfKE3vbEC5v1zmCJc9jyGWQHUS/9WmnvFUk3YmkjNWcIntSFP5/+3BmADsE/W48LhkAzlZxeoCYSbBa2Obsv0=
X-Received: by 2002:a1c:a182:: with SMTP id k124mr11477478wme.132.1619031541068; Wed, 21 Apr 2021 11:59:01 -0700 (PDT)
MIME-Version: 1.0
References: <161901308063.21005.875603362157576926@ietfa.amsl.com> <CAHbrMsA4TMfE+3LAT+un0FF3DGXKsYB1zAtvUwf2YKr97mJ+sQ@mail.gmail.com> <87B615B4-9CA3-4060-93C2-E4B953C11FB2@akamai.com> <CAHbrMsDaqrQ+XDO4z395tC_yOH4MBH8OmoH8zTXWEHfcDC1+Ew@mail.gmail.com> <6245BB4F-4E2F-435F-ABC0-18C0420C8541@akamai.com>
In-Reply-To: <6245BB4F-4E2F-435F-ABC0-18C0420C8541@akamai.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 21 Apr 2021 14:58:49 -0400
Message-ID: <CAHbrMsDGq0usDiqr0HtbFCR4Y8swtyv_0i7UOFf=C_ExW+0FNQ@mail.gmail.com>
To: "Wellington, Brian" <bwelling=40akamai.com@dmarc.ietf.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000e91b5105c080270d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/DVf_8NI0VE5OOOttZY0-UckLJ6Y>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-https-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 18:59:13 -0000

On Wed, Apr 21, 2021 at 1:24 PM Wellington, Brian <bwelling=
40akamai.com@dmarc.ietf.org> wrote:

> Yes, I think that sentence should be changed.  I’d suggest removing the
> "malformed SvcParamValues” part, but others may disagree.
>
> I agree that a URL is a tricky case.  The spec writer might not want to
> include an ABNF representation of a valid URL, because implementors would
> likely want to use existing facilities to parse URLs, which are likely not
> consistent.  In that case, though, I would expect the spec to indicate that
> the field is a bytestring, and the resolver to be able to that.  The fact
> that it’s a URL is something that the client should be checking.
>

But surely by this standard all fields are bytestrings?

For the existing parameters, there are checks that can (and should) be
> made; that IPv4 addresses, IPv6 addresses, and ports are of appropriate
> length, that the ALPN field has the right length prefix, and that the
> mandatory field is ordered and has a valid length.
>
> There are also checks which are not specified, and which a client may want
> to do, but are not part of the record format itself.  I wouldn’t expect a
> recursive resolver to reject a record containing an ipv4hint with the
> address 255.255.255.255, but that doesn’t mean that a client should try to
> connect to it.
>

It sounds like you are suggesting that we distinguish between "how the
resolver should parse the value" and "how the client should parse the
value" ... but the value is meaningless to the resolver, so there is no
particular sense in which the resolver should parse it.  This is not like
JSON, where an intermediary might check that the value of the "url" key is
a string, without checking whether it is a valid URL.  All SvcParamValues
are opaque bytestrings unless you know how to parse them.


> I do not think that it should be required that a resolver is able to
> convey malformed records, where malformed is (only) referring to the
> syntactic content.  That’s not how resolvers work for other types; no
> resolvers have options to allow 5 byte A records.
>

Similarly, there's no requirement here that resolvers be able to convey a
syntactically invalid SvcParams structure (i.e. truncated TLV).  The
requirement is that resolvers are, in general, able to convey records even
if a SvcParamValue does not appear to be valid according to the key's
specification.  This is particularly relevant for multipurpose codebases
that can act as both recursive and authoritative (or client).  Such
codebases must contain full SvcParam validation logic for all recognized
SvcParamKeys, but they must be able to bypass it in recursive mode to avoid
ossification.

This is not a requirement that resolvers always pass through these invalid
values, and in many cases (e.g. "port") the validation is sufficiently
trivial that enforcing it poses minimal compatibility risk.  However, I
think this is worth highlighting because, in my own implementation, it was
easiest to enforce full validation for all recognized keys (present and
future) during recursive resolution, and some extra effort was required to
make sure that invalid values could pass through.


>
> Brian
>
>
> On Apr 21, 2021, at 10:00 AM, Ben Schwartz <
> bemasc=40google.com@dmarc.ietf.org> wrote:
>
> On Wed, Apr 21, 2021 at 12:44 PM Wellington, Brian <bwelling=
> 40akamai.com@dmarc.ietf.org> wrote:
>
>> I’m not a fan of the new text in section 4.3:
>>
>> Recursive resolvers MUST be able to convey SVCB records with unrecognized
>> SvcParamKeys or malformed SvcParamValues.
>>
>>
>> It is perfectly reasonable for a recursive resolver to reject any
>> malformed DNS record.  There’s a significant difference between “malformed”
>> and “unknown”.  A recursive resolver should definitely allow records with
>> unknown SvcParamKeys, but if the format of a record is known, a resolver
>> should be allowed (encouraged, in fact) to check that it conforms to that
>> format.
>>
>
> The concern here was about differing interpretations of future standards.
> For example, if some SvcParamValue is defined as a URL (for some future
> key), implementations are likely to disagree about whether certain
> bytestrings are valid URLs.  (There are several definitions and a zillion
> edge cases.)  The resolver has no use for these values, so the most
> compatible behavior is to treat them as opaque bytestrings.
>
> We very deliberately chose the phrase "MUST be able to convey" to
> recognize that resolvers might be configured not to convey a record with a
> malformed value, but it should be possible.
>
> Do you think we should change this sentence?
>
>
>

v2.23.0 | Report a Bug | By Email