IETF Logo Mail Archive

Re: [DNSOP] [Ext] Questions / concerns with draft-ietf-dnsop-svcb-https (in RFC Editor queue)

Tommy Pauly <tpauly@apple.com> Fri, 26 August 2022 18:53 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5700C14CE32; Fri, 26 Aug 2022 11:53:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.085
X-Spam-Level:
X-Spam-Status: No, score=-4.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ekEZIy2LkQ91; Fri, 26 Aug 2022 11:53:39 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp01.apple.com (ma1-aaemail-dr-lapp01.apple.com [17.171.2.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74F8BC14F613; Fri, 26 Aug 2022 11:53:39 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp01.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp01.apple.com (8.16.0.42/8.16.0.42) with SMTP id 27QIilu9007097; Fri, 26 Aug 2022 11:53:37 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=content-type : content-transfer-encoding : from : mime-version : subject : date : message-id : references : cc : in-reply-to : to; s=20180706; bh=x1gXMwc/2AOrsB3/WIPPKoe4L0IMSFUL6O6c7MjaM3c=; b=qD4TOs1fPRhpjd6nyV3yZtSrdFstBBMB7WFEejFEc37pFli4H26whSADrPJwc89QaCkT dEDdAAAVaDk7uYZzdK9nIWsEnDJ4YhY4obrhwA/1uTchTLcQGHSJ0aWVOjMSYc9jFops J8HK53Ce6FtmCd4l10iNWyQSSt8R55LuCwqehIVrpwlxcMxmSUVtTZAVjDNP0l80aKKQ D7dt4nVh36CVb7/wKRyGN2IqOe1OfDexfrXjBagQqXcSoAgaB86bhs7HlD7/+WAqqYan U5HdrhkeXC2ho2l/3Rr5ncuWrq0eoiS2lxyboTmcb9SkQNs5FVIicEGbh4AEXJOLefgD +g==
Received: from ma-mailsvcp-mta-lapp03.corp.apple.com (ma-mailsvcp-mta-lapp03.corp.apple.com [10.226.18.135]) by ma1-aaemail-dr-lapp01.apple.com with ESMTP id 3j2x95fx50-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 26 Aug 2022 11:53:37 -0700
Received: from ma-mailsvcp-mmp-lapp03.apple.com (ma-mailsvcp-mmp-lapp03.apple.com [17.32.222.16]) by ma-mailsvcp-mta-lapp03.corp.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) with ESMTPS id <0RH800FEGKHDJU40@ma-mailsvcp-mta-lapp03.corp.apple.com>; Fri, 26 Aug 2022 11:53:37 -0700 (PDT)
Received: from process_milters-daemon.ma-mailsvcp-mmp-lapp03.apple.com by ma-mailsvcp-mmp-lapp03.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) id <0RH800V00K1OUP00@ma-mailsvcp-mmp-lapp03.apple.com>; Fri, 26 Aug 2022 11:53:37 -0700 (PDT)
X-Va-A:
X-Va-T-CD: e72da815dcb01dab2f988f94f1719970
X-Va-E-CD: 18c0ace60e2717b418ad4807c7423e4a
X-Va-R-CD: 4e8bda45b7224c98fc12eb5cf9468d2c
X-Va-CD: 0
X-Va-ID: a62cbdc8-d021-492a-8a9d-a8a6b4a111d9
X-V-A:
X-V-T-CD: e72da815dcb01dab2f988f94f1719970
X-V-E-CD: 18c0ace60e2717b418ad4807c7423e4a
X-V-R-CD: 4e8bda45b7224c98fc12eb5cf9468d2c
X-V-CD: 0
X-V-ID: fe22b837-1988-492d-bda7-41686fcc8078
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.895 definitions=2022-08-26_10:2022-08-25, 2022-08-26 signatures=0
Received: from smtpclient.apple (unknown [17.235.64.9]) by ma-mailsvcp-mmp-lapp03.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) with ESMTPSA id <0RH800NNNKHBTM00@ma-mailsvcp-mmp-lapp03.apple.com>; Fri, 26 Aug 2022 11:53:36 -0700 (PDT)
Content-type: multipart/alternative; boundary="Apple-Mail-B4D19926-B71F-4B77-9E25-B8EFF1B017AD"
Content-transfer-encoding: 7bit
From: Tommy Pauly <tpauly@apple.com>
MIME-version: 1.0 (1.0)
Date: Fri, 26 Aug 2022 11:53:24 -0700
Message-id: <66195CE5-3122-4CF2-85A1-B7314206A221@apple.com>
References: <CAHbrMsDuMczyo+8eOP7VoWogrnU7q27-Q1RQWNFVKodbYwMftw@mail.gmail.com>
Cc: dnsop <dnsop@ietf.org>
In-reply-to: <CAHbrMsDuMczyo+8eOP7VoWogrnU7q27-Q1RQWNFVKodbYwMftw@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (20A356)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.895 definitions=2022-08-26_10:2022-08-25, 2022-08-26 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/DZIMcheGOmnbgW9MAJDaccxzDpk>
Subject: Re: [DNSOP] [Ext] Questions / concerns with draft-ietf-dnsop-svcb-https (in RFC Editor queue)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2022 18:53:43 -0000



On Aug 26, 2022, at 4:29 AM, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:




On Thu, Aug 25, 2022 at 7:19 PM Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
On Thu, Aug 25, 2022 at 04:35:39PM -0400, Ben Schwartz wrote:

> Relatedly, the results presented by EKR [1] at the most recent DNSOP
> meeting measure that 6.5% of Firefox users are unable to retrieve HTTPS
> records through their local resolver.  To me, this implies that functional
> origin endpoints are likely to be required even if client software gains
> SVCB/HTTPS support.

This is why my suggested client behaviour was cognisant of this impediment.

    - If the client's *initial* SVCB lookup succeeds, *then* fallback is
      no longer an option.

    - If initial SVCB resolution fails (SERVFAIL, timeout, ...)
      then the client behaves as though the SVCB record does not exist.

This results in more predictable behaviour, without optimising for
failure.

I don't think "more predictable" is really a desirable or achievable outcome in this case.  Sophisticated clients (e.g. web browsers for HTTP, iterative resolvers for DNS) tend to develop highly tuned heuristics and state machines in pursuit of performance and reliability within their particular constraints.  I think an instruction not to fall back in this case would likely be ignored. 

I definitely agree with all the points that Ben is making here and elsewhere. The practical realities of dealing with new record types, and the evolving heuristics on clients, will determine how the records are used. 

It makes sense for informational documents to talk about techniques and best practices—like an updated Happy Eyeballs algorithm to include SVCB logic, but that shouldn’t block anything in the base specification or add overly restrictive requirements today. 

Tommy

It also strikes me as questionable from a standards perspective: if SVCB itself is optional, surely the client always has the right to change its mind and disable its support for SVCB?
 
  If the origin zone directs the service elsewhere, and there
are no last-mile DNS lookup roadblocks, then the protocol becomes
"reliable" (optimises for success and predictability, over fallback
recovery leading to potentially/eventually undesirable outcomes).


> I believe this balance could be revisited in several years' time, if "HTTPS
> Record" support becomes sufficiently universal.

Indeed it is a possible position to say that the Internet is not yet
ready for semantically distinct services seen by SVCB-aware and legacy
clients.

In addition to the deployment concerns I've mentioned earlier, a deployment of this kind would be intrinsically insecure: a hostile intermediary could override the choice of which semantically distinct service is seen by the client.  That's another reason why this configuration is not permitted.

  But I think that latching on success of the initial lookup
largely addresses the present impediments to reliance on SVCB.

The same could have been said of EDNS0 fallback, but the IETF wisely did not attempt to leap straight to that configuration in the initial RFC.  Instead, we gave client implementors plenty of room to tune their own fallback behaviors, and came back to tighten the system up much later when it became safe to do so.

> Viktor notes with concern that AliasMode is a "non-deterministic
> redirect".  Instead, the draft attempts to model the client behavior as a
> preference ordered stack of endpoints:
>

I also noted an issue around the initial $QNAME having prefix labels (in
the case of SVCB rather than HTTPS), and so this is likely not the name
you want appended as a fallback to the target list.

Indeed, I think this is a clarity/precision problem that we should correct.  Specifically, this "final value of $QNAME" endpoint is only used if it is not the initial value of $QNAME (i.e. if an AliasMode record was found).

Similarly, if an AliasMode target has attrleaf labels, RFC1123 seems to
preclude publishing A/AAAA records there, making some of the example
configurations in the draft impractical.

I don't agree with this reading of RFC 1123.  There is no requirement that address records only be placed on hostnames, and there is no requirement that TargetName be a hostname.  If I were making an argument here, it might be about compatibility with RFC 8553 (Attrleaf), but hopefully this is mostly moot per the above.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email