Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-svcb-https
Petr Špaček <pspacek@isc.org> Fri, 09 April 2021 06:59 UTC
Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A49843A1222 for <dnsop@ietfa.amsl.com>; Thu, 8 Apr 2021 23:59:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=Ctvodauf; dkim=pass (1024-bit key) header.d=isc.org header.b=l8HcXjFO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GpxXSKzTFi1 for <dnsop@ietfa.amsl.com>; Thu, 8 Apr 2021 23:59:02 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 631323A121E for <dnsop@ietf.org>; Thu, 8 Apr 2021 23:59:02 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 71D633AB01E; Fri, 9 Apr 2021 06:58:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1617951539; bh=yVKHQkFw4LzFsw6Liqd7MDrQAhp0gqCah3aTRKOYxeI=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=CtvodaufaNa9wBY0CpkIKUaZ+QZXEdr9Ad1yPjJSLO3yvJRCjyAKPf+Sj8RrN6qfh u/wqJr+sO/ne4v40gvSRkdu4/oPaerYoSHuq82S2y1JyL7Ys9ymrBGeOL1VQt6aeL6 M5UPvZ25SW8cam5WwG54rxNggMY7WmFzNRvMGCw8=
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 08D33160047; Fri, 9 Apr 2021 06:58:59 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A2C7E160067; Fri, 9 Apr 2021 06:58:58 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.2 zmx1.isc.org A2C7E160067
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1617951538; bh=hV6F/H9tzsCtybYoVs5ImsN6ogzlkMvhJumisn9Qc2Y=; h=Subject:To:From:Message-ID:Date:MIME-Version:Content-Type: Content-Transfer-Encoding; b=l8HcXjFOF5lEnO9zn5haKzO1An/Fyc/AOIQYaBrX1nOK+R3LdodzEqvuB1PJDfnH/ JpeDMjpKaoYkRkfoU66EtglrbFJN5knhzpJFCUF1l3Vuy5/OIS/7D7cMLUAmJuyGAF 0I5BLd2KYGYJPuXO7upKVjCKwEGiD4jKJwa5WYjk=
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id qRqFSjGtgadE; Fri, 9 Apr 2021 06:58:58 +0000 (UTC)
Received: from [192.168.0.116] (ip-86-49-243-175.net.upcbroadband.cz [86.49.243.175]) by zmx1.isc.org (Postfix) with ESMTPSA id D9A20160047; Fri, 9 Apr 2021 06:58:57 +0000 (UTC)
To: Ben Schwartz <bemasc@google.com>
Cc: dnsop <dnsop@ietf.org>
References: <CADyWQ+Hg=XcMjT5BOxeV0F25sAT5QSZOEcdMHZiH1s0sS=1KzQ@mail.gmail.com> <9af6a2c1-70af-0ea6-52a5-36ae13159fdd@isc.org> <CAHbrMsDyWHwZiX-EAm_Qa9Ve6nk4ZrAgWN_Y+LgQoTq-NJoriw@mail.gmail.com>
From: Petr Špaček <pspacek@isc.org>
Message-ID: <d37863a8-cb12-ebec-d148-5908dabf7b26@isc.org>
Date: Fri, 09 Apr 2021 08:58:55 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <CAHbrMsDyWHwZiX-EAm_Qa9Ve6nk4ZrAgWN_Y+LgQoTq-NJoriw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/E28PsfAUquCgKEWXqP4x9sWYT6Q>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-svcb-https
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 06:59:07 -0000
On 08. 04. 21 16:39, Ben Schwartz wrote: > Thanks for the feedback, Petr. I think the easiest solution is to relax > the requirement language. I've proposed a change here: > https://github.com/MikeBishop/dns-alt-svc/pull/313 > <https://github.com/MikeBishop/dns-alt-svc/pull/313> Copying the diff here: > - Recursive resolvers SHOULD treat the SvcParams portion of the SVCB RR > - as opaque and SHOULD NOT try to alter their behavior based > - on its contents. > > + Recursive resolvers MAY treat the SvcParams portion of the SVCB RR > + as opaque. No part of this specification requires recursive resolvers > + to alter their behavior based on its contents, even if the contents are > + invalid. This addresses my concern, thank you! Petr Špaček > > On Thu, Apr 8, 2021 at 3:55 AM Petr Špaček <pspacek@isc.org > <mailto:pspacek@isc.org>> wrote: > > On 18. 03. 21 21:53, Tim Wicinski wrote: > > > > This starts a Working Group Last Call for draft-ietf-dnsop-svcb-https > > > > Current versions of the draft is available here: > > https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/ > <https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/> > > <https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/ > <https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/>> > > > > The Current Intended Status of this document is: Proposed Standard > > > > Please review the draft and offer relevant comments. > > If this does not seem appropriate please speak out. > > If someone feels the document is *not* ready for publication, please > > speak out with your reasons. > > > > This starts a two week Working Group Last Call process, and ends > on: 2 > > April 2021 > > I realize I'm already late, but I think this is worth raising with > the WG: > > Version -04 contains this: > > 4.3. General requirements > > Recursive resolvers SHOULD treat the SvcParams portion of the > SVCB RR > as opaque and SHOULD NOT try to alter their behavior based on its > contents. > When responding to a query that includes the DNSSEC OK bit > ([RFC3225]), DNSSEC-capable recursive and authoritative DNS servers > MUST accompany each RRSet in the Additional section with the same > DNSSEC-related records that they would send when providing that > RRSet > as an Answer (e.g. RRSIG, NSEC, NSEC3). > > > The catch is that this "SHOULD NOT ... alter behavior" goes against RPZ > and any other filtering technique employed by the resolver. > > As a specific example, operators are already asking resolver vendors to > treat ipv4hint and ipv6hint the same way as A/AAAA for purposes of the > "Response IP Address" Trigger in the context of RPZ filters. > (https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-4.3 > <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-4.3>) > > Does WG want to say anything in the HTTPS draft or leave it to the > imagination of vendors? > > In my eyes, 4.3 "SHOULD NOT ... alter behavior" is unnecessary for > interoperability, so I think clarification is needed to make it clear > that local policy on resolver overrides "SHOULD NOT alter" instruction > in section 4.3. General requirements _if_ resolver operator deems > necessary. > > > Let me be clear: > It would not be very reasonable to believe that HTTPS RR will be in > practice allowed to work as a loophole to A/AAAA filtering on > resolvers, > so the question is if WG prefers to have it mentioned in the RFC > text or > not. > > -- > Petr Špaček
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Pieter Lexis
- Re: [DNSOP] Working Group Last Call for draft-iet… Ben Schwartz
- Re: [DNSOP] Working Group Last Call for draft-iet… Petr Špaček
- Re: [DNSOP] Working Group Last Call for draft-iet… Ben Schwartz
- Re: [DNSOP] Working Group Last Call for draft-iet… Petr Špaček
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter van Dijk