IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-svcb-https

Petr Špaček <pspacek@isc.org> Fri, 09 April 2021 06:59 UTC

Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A49843A1222 for <dnsop@ietfa.amsl.com>; Thu, 8 Apr 2021 23:59:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=Ctvodauf; dkim=pass (1024-bit key) header.d=isc.org header.b=l8HcXjFO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GpxXSKzTFi1 for <dnsop@ietfa.amsl.com>; Thu, 8 Apr 2021 23:59:02 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 631323A121E for <dnsop@ietf.org>; Thu, 8 Apr 2021 23:59:02 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 71D633AB01E; Fri, 9 Apr 2021 06:58:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1617951539; bh=yVKHQkFw4LzFsw6Liqd7MDrQAhp0gqCah3aTRKOYxeI=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=CtvodaufaNa9wBY0CpkIKUaZ+QZXEdr9Ad1yPjJSLO3yvJRCjyAKPf+Sj8RrN6qfh u/wqJr+sO/ne4v40gvSRkdu4/oPaerYoSHuq82S2y1JyL7Ys9ymrBGeOL1VQt6aeL6 M5UPvZ25SW8cam5WwG54rxNggMY7WmFzNRvMGCw8=
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 08D33160047; Fri, 9 Apr 2021 06:58:59 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A2C7E160067; Fri, 9 Apr 2021 06:58:58 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.2 zmx1.isc.org A2C7E160067
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1617951538; bh=hV6F/H9tzsCtybYoVs5ImsN6ogzlkMvhJumisn9Qc2Y=; h=Subject:To:From:Message-ID:Date:MIME-Version:Content-Type: Content-Transfer-Encoding; b=l8HcXjFOF5lEnO9zn5haKzO1An/Fyc/AOIQYaBrX1nOK+R3LdodzEqvuB1PJDfnH/ JpeDMjpKaoYkRkfoU66EtglrbFJN5knhzpJFCUF1l3Vuy5/OIS/7D7cMLUAmJuyGAF 0I5BLd2KYGYJPuXO7upKVjCKwEGiD4jKJwa5WYjk=
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id qRqFSjGtgadE; Fri, 9 Apr 2021 06:58:58 +0000 (UTC)
Received: from [192.168.0.116] (ip-86-49-243-175.net.upcbroadband.cz [86.49.243.175]) by zmx1.isc.org (Postfix) with ESMTPSA id D9A20160047; Fri, 9 Apr 2021 06:58:57 +0000 (UTC)
To: Ben Schwartz <bemasc@google.com>
Cc: dnsop <dnsop@ietf.org>
References: <CADyWQ+Hg=XcMjT5BOxeV0F25sAT5QSZOEcdMHZiH1s0sS=1KzQ@mail.gmail.com> <9af6a2c1-70af-0ea6-52a5-36ae13159fdd@isc.org> <CAHbrMsDyWHwZiX-EAm_Qa9Ve6nk4ZrAgWN_Y+LgQoTq-NJoriw@mail.gmail.com>
From: Petr Špaček <pspacek@isc.org>
Message-ID: <d37863a8-cb12-ebec-d148-5908dabf7b26@isc.org>
Date: Fri, 09 Apr 2021 08:58:55 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <CAHbrMsDyWHwZiX-EAm_Qa9Ve6nk4ZrAgWN_Y+LgQoTq-NJoriw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/E28PsfAUquCgKEWXqP4x9sWYT6Q>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-svcb-https
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 06:59:07 -0000

On 08. 04. 21 16:39, Ben Schwartz wrote:
> Thanks for the feedback, Petr.  I think the easiest solution is to relax 
> the requirement language.  I've proposed a change here: 
> https://github.com/MikeBishop/dns-alt-svc/pull/313 
> <https://github.com/MikeBishop/dns-alt-svc/pull/313>

Copying the diff here:

> - Recursive resolvers SHOULD treat the SvcParams portion of the SVCB RR
> - as opaque and SHOULD NOT try to alter their behavior based
> - on its contents.
> 
> + Recursive resolvers MAY treat the SvcParams portion of the SVCB RR
> + as opaque.  No part of this specification requires recursive resolvers
> + to alter their behavior based on its contents, even if the contents are
> + invalid.

This addresses my concern, thank you!

Petr Špaček


> 
> On Thu, Apr 8, 2021 at 3:55 AM Petr Špaček <pspacek@isc.org 
> <mailto:pspacek@isc.org>> wrote:
> 
>     On 18. 03. 21 21:53, Tim Wicinski wrote:
>      >
>      > This starts a Working Group Last Call for draft-ietf-dnsop-svcb-https
>      >
>      > Current versions of the draft is available here:
>      > https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/
>     <https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/>
>      > <https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/
>     <https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/>>
>      >
>      > The Current Intended Status of this document is: Proposed Standard
>      >
>      > Please review the draft and offer relevant comments.
>      > If this does not seem appropriate please speak out.
>      > If someone feels the document is *not* ready for publication, please
>      > speak out with your reasons.
>      >
>      > This starts a two week Working Group Last Call process, and ends
>     on:  2
>      > April 2021
> 
>     I realize I'm already late, but I think this is worth raising with
>     the WG:
> 
>     Version -04 contains this:
> 
>     4.3.  General requirements
> 
>          Recursive resolvers SHOULD treat the SvcParams portion of the
>     SVCB RR
>          as opaque and SHOULD NOT try to alter their behavior based on its
>          contents.
>          When responding to a query that includes the DNSSEC OK bit
>          ([RFC3225]), DNSSEC-capable recursive and authoritative DNS servers
>          MUST accompany each RRSet in the Additional section with the same
>          DNSSEC-related records that they would send when providing that
>     RRSet
>          as an Answer (e.g.  RRSIG, NSEC, NSEC3).
> 
> 
>     The catch is that this "SHOULD NOT ... alter behavior" goes against RPZ
>     and any other filtering technique employed by the resolver.
> 
>     As a specific example, operators are already asking resolver vendors to
>     treat ipv4hint and ipv6hint the same way as A/AAAA for purposes of the
>     "Response IP Address" Trigger in the context of RPZ filters.
>     (https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-4.3
>     <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-4.3>)
> 
>     Does WG want to say anything in the HTTPS draft or leave it to the
>     imagination of vendors?
> 
>     In my eyes, 4.3 "SHOULD NOT ... alter behavior" is unnecessary for
>     interoperability, so I think clarification is needed to make it clear
>     that local policy on resolver overrides "SHOULD NOT alter" instruction
>     in section 4.3. General requirements _if_ resolver operator deems
>     necessary.
> 
> 
>     Let me be clear:
>     It would not be very reasonable to believe that HTTPS RR will be in
>     practice allowed to work as a loophole to A/AAAA filtering on
>     resolvers,
>     so the question is if WG prefers to have it mentioned in the RFC
>     text or
>     not.
> 
>     -- 
>     Petr Špaček

v2.23.0 | Report a Bug | By Email