IETF Logo Mail Archive

Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS

Ben Schwartz <bemasc@google.com> Thu, 23 July 2020 01:41 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FB0D3A0AFF for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 18:41:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Level:
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dy4hNByu8EOJ for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 18:41:29 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BC953A0B02 for <dnsop@ietf.org>; Wed, 22 Jul 2020 18:41:29 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id j18so3518786wmi.3 for <dnsop@ietf.org>; Wed, 22 Jul 2020 18:41:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=D4dvfQq8M67YFTZJGLrqTJbKtDfKiUqCD3BojN3uYPs=; b=SLncHYqytLRpEwmtJPqW7l7hUvZsGkH/acJENrhpQ3Izpmx/FRs6Mguq3SeqbXwvCg Fc83bJlX7JodRbkMFrHof4WSrGIPXqPUKm7r9Tq/+9BaSNJOD6qFw3B8ICnLOWdbsR+T Bc+4OOfA8tt7qDBdBHXHNncFuo4RlFV31NEcdvUjRgthWdXa6jTB6RRmMmGwtThRY4lk Lv2SY6FzHKOTp8L0/hYR1lZh3m/Sc3blUtv4/gFAvFBiZbCFYVhC2s1L8YRh2NZaS2cQ 5w/UhiPmYdhuUBGnqfrhpyIig3HZB8dZ+lfu8r+LNfG11Ec9KOV4ciPRntG4bSTdIDpr 3qQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=D4dvfQq8M67YFTZJGLrqTJbKtDfKiUqCD3BojN3uYPs=; b=ecPogwA0pJJ6CW582h+ciEa+lwdVzQt1i9z+QIJgIRUt/mdKGDwUrg45lDadOikrPD tlcfYWISV8xtJIFHI22SAxT57XTIxFKzT9cSFYPZ59nnGgtDbNcKiIOTQg/4sGF1tcFY Im1Zp9HikD8CGdz1eKcUh3LgiPAunO/7Qvmb3tD8bGxyEg7FZ4sqNM+OJbsSFHGY9ES4 consLwOEezdNqh5wqdU9RkcLNnSl2JQTNUnpxE4smazsdPDORPi6FI231mJGMPjaWOMb qNLJnqs/WZKUC3ujIatJDChNtNSamrYJVSTEP6G1oV4tkJ1zjR62AFMmFWGCaSQTROHt WWEQ==
X-Gm-Message-State: AOAM531nSjEAmm7fp+w15kcx+fzPKH+olsPgJUkQ4Zdv3yp09ONLQJ76 4mfdk5TL9rztP5Jc0UOyoe7J+H9iF4jz7hbIvTv609Hc
X-Google-Smtp-Source: ABdhPJy0s7UGL3tsdJh0+l/IuymK4852qUPqqjVC5VEdch9BybULsj12/OHet2vQ2LQhAq7egVngaKZfipK6+ajuMJA=
X-Received: by 2002:a1c:bc8a:: with SMTP id m132mr1878301wmf.1.1595468487451; Wed, 22 Jul 2020 18:41:27 -0700 (PDT)
MIME-Version: 1.0
References: <20200716151356.GA60024@wakko.flat11.house> <9975DA88-525A-4FC3-9517-70E128A4776D@akamai.com> <099D8D6A-FBBD-4A5A-B1A9-C67CF83DD3DF@apple.com> <E5679D36-1C01-4534-BDFA-836B1FD5A33D@akamai.com>
In-Reply-To: <E5679D36-1C01-4534-BDFA-836B1FD5A33D@akamai.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 22 Jul 2020 21:41:15 -0400
Message-ID: <CAHbrMsDWwahCWoDtQRHQOb5ThGZHuVaOU+e3zkd=H-CZF1s3wg@mail.gmail.com>
To: "Wellington, Brian" <bwelling=40akamai.com@dmarc.ietf.org>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Alessandro Ghedini <alessandro@ghedini.me>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000007a86b205ab11f406"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EXDmLtXjeweVBnmaJ29OUB-YYyM>
Subject: Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 01:41:33 -0000

On Wed, Jul 22, 2020 at 9:20 PM Wellington, Brian <bwelling=
40akamai.com@dmarc.ietf.org> wrote:

> ok.  So, what this means is that keys listed in the “mandatory” parameter
> must be included as parameters, and are required to be understood by
> clients.  The set of “automatically mandatory” keys are required to be
> understood by clients, but are not required in the RR.
>

>From the client's perspective, "mandatory" means "if you don't understand
all of these keys, discard the RR".  Each key on the list is "mandatory" in
the sense that it conveys information that is required to make correct use
of the RR.  All other keys are optional: they can be ignored and the RR
will still "work" for connection establishment.

"Automatically mandatory" means "this key is mandatory if it is present".

If you can think of a clearer presentation, please send text!

I’m a native English speaker, and have been working with DNS for over 20
> years.  If I’m having trouble understanding this, perhaps the spec should
> be a bit clearer.
>
> Brian
>
> On Jul 22, 2020, at 5:56 PM, Tommy Pauly <
> tpauly=40apple.com@dmarc.ietf.org> wrote:
>
>
>
> On Jul 22, 2020, at 5:46 PM, Wellington, Brian <
> bwelling=40akamai.com@dmarc.ietf.org> wrote:
>
> I attempted to start implementing support for SVCB and HTTPS, and
> discovered that the data being served by Cloudflare does not conform to the
> current spec.
>
>
> Assuming my decoder is correct, the response below decodes to:
>
> 1 . alpn=h3-29,h3-28,h3-27,h2 echconfig=aBIaLmgSGy4=
> ipv6hint=2606:4700::6812:1a2e,2606:4700::6812:1b2e
>
> and does not include a “mandatory” parameter.  But section 6.5 of
> draft-ietf-dnsop-svcb-https, which is talking about the “mandatory” key,
> says:
>
> This SvcParamKey is always automatically mandatory,
>
> which implies that there MUST be a “mandatory” parameter.  Is this an
> oversight in the Cloudflare implementation, or is the Cloudflare
> implementation not implementing the current version?
>
>
> The Cloudflare record does conform correctly.
>
> The “mandatory” key does NOT need to be included. "automatically
> mandatory” keys do not need to be included. Mandatory just indicates which
> non-automatically-mandatory keys included in the record are required to be
> understood by clients, or else clients should reject them.
>
> Thanks,
> Tommy
>
>
> Thanks,
> Brian
>
> On Jul 16, 2020, at 8:13 AM, Alessandro Ghedini <alessandro@ghedini.me>
> wrote:
>
> Hello,
>
> Just a quick note that we have started serving "HTTPS" DNS records from
> Cloudflare's authoritative DNS servers. Our main use-case right now is
> advertising HTTP/3 support for those customers that enabled that feature
> (in
> addition to using Alt-Svc HTTP headers).
>
> If anyone is interested in trying this out you can query pretty much all
> domains
> served by Cloudflare DNS for which we terminate HTTP.
>
> For example:
>
>  % dig blog.cloudflare.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=>
>  type65
>
> ; <<>> DiG 9.16.4-Debian <<>> blog.cloudflare.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=>
>  type65
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17291
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;blog.cloudflare.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=>
> . IN TYPE65
>
> ;; ANSWER SECTION:
> blog.cloudflare.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=>
> . 300 IN TYPE65 \# 76
> 000100000100150568332D32390568332D32380568332D3237026832
> 0004000868121A2E68121B2E00060020260647000000000000000000
> 68121A2E26064700000000000000000068121B2E
>
> Cheers
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf..org_mailman_listinfo_dnsop&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=Ei0lUqjTt2OhRnRqJeO1XDCHQqnH1FdINDMcPEhCC1g&s=WQn55KFIZ5LGfsj-QGNSS31WGhpI-GuXpJEmhibwNuo&e=
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=Ei0lUqjTt2OhRnRqJeO1XDCHQqnH1FdINDMcPEhCC1g&s=WQn55KFIZ5LGfsj-QGNSS31WGhpI-GuXpJEmhibwNuo&e=>
>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=80-OG9hSCfXT4Zbc93tA5Bd0FdLj0hAknhjLjvAfDww&e=>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email