IETF Logo Mail Archive

Re: [DNSOP] Fwd: HTTPSSVC record draft

Christian Huitema <huitema@huitema.net> Fri, 26 July 2019 21:49 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6887B120071 for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2019 14:49:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kWJXo8NUjcXX for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2019 14:49:11 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B054112006E for <dnsop@ietf.org>; Fri, 26 Jul 2019 14:49:11 -0700 (PDT)
Received: from xse349.mail2web.com ([66.113.197.95] helo=xse.mail2web.com) by mx35.antispamcloud.com with esmtp (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1hr85M-0005Hz-Kj for dnsop@ietf.org; Fri, 26 Jul 2019 23:49:09 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 45wMkH73fFz9pTF for <dnsop@ietf.org>; Fri, 26 Jul 2019 14:32:39 -0700 (PDT)
Received: from [10.5.2.18] (helo=xmail08.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1hr7pP-0000Bw-Sl for dnsop@ietf.org; Fri, 26 Jul 2019 14:32:39 -0700
Received: (qmail 5812 invoked from network); 26 Jul 2019 21:32:39 -0000
Received: from unknown (HELO [100.88.46.204]) (Authenticated-user:_huitema@huitema.net@[172.56.12.251]) (envelope-sender <huitema@huitema.net>) by xmail08.myhosting.com (qmail-ldap-1.03) with ESMTPA for <erik+ietf@nygren.org>; 26 Jul 2019 21:32:38 -0000
Content-Type: multipart/alternative; boundary="Apple-Mail-CCB5A2CC-E3A5-4A4E-A720-C92D784B8296"
Mime-Version: 1.0 (1.0)
From: Christian Huitema <huitema@huitema.net>
X-Mailer: iPhone Mail (16F203)
In-Reply-To: <CAKC-DJhxLXMuE9BdHmFK742AeFHvPsfmEE5Rfy1XHc+vB8nUAg@mail.gmail.com>
Date: Fri, 26 Jul 2019 17:32:36 -0400
Cc: 神明達哉 <jinmei@wide.ad.jp>, Matthijs Mekking <matthijs@pletterpet.nl>, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <8E9AC178-CE5A-4665-AE5C-47263F07CC8D@huitema.net>
References: <CAKC-DJikByP+wX-GoD6ntpUWTbr6ioJzB4i8nGQL4NtPWePL3g@mail.gmail.com> <ae353a56-efe5-ce5d-1786-465fc0195071@bellis.me.uk> <cd42bccb-89db-4084-e9e5-7dad0d59cb35@pletterpet.nl> <CAJE_bqf2V2vk2uR2bsHzZ9+eDzCwA1hVi88AT7NWR6ibmE4MAg@mail.gmail.com> <CAKC-DJhxLXMuE9BdHmFK742AeFHvPsfmEE5Rfy1XHc+vB8nUAg@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
X-Originating-IP: 66.113.197.95
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: ham
X-Spampanel-Outgoing-Evidence: Combined (0.03)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0STiPCilqAig5bem4hJMKBmpSDasLI4SayDByyq9LIhVbvQk0gZ0ftfd ACuS23NBzUTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDwMrZRqsFCjz8E32pWQuD5pj9 EvBvwu01uVCaGVBWGqu3tR7GytWqO4w0iXXgY5ZO2rBNMmEsKEibQwSU1xBeOHButNDpi1WUXRkr He1vFsYm1aGKgRFqmjZjxZofiz4repvo9FObKa/r79UAkp+WlLyme9ldZJ7uNXfg/GfS8fXOC4kn OJkMS8NGDKsP9r3Khy7LI0kfFnXdPP6btp4oBeJDeKRq5oPj2hFJhLx+qI3HlR3ootg7OlA3N5WN re/oppAGOX5cHTu1yz4pRT/9FGrxEaaKeSxe0Wrx6M4G5/WoLsdfEoJI0BNUQ4KpaNyNCwGqOUcw rXf55E8Tb8bmXq4yH8StrboPphDtmrtUkwlUgiZZ2raUFFZA8s/fhxGt7T02ZXdoQxMs//iOE4Fl hiCv9TR+UxzLZWL8hwGBjhoI3W+YcuHfP5PkZb5A+wE5qGdpH54Oa3V8I76VOEvlwPpZ90pncljT Sb0eCPh6fGVjVg/I1zTYZRaNE2jpldWqk+B+UR/fpEu4swAwqkcLObar47EcAh7XWI4FkAlG3pwx iMxSpkvqIEtRL3s4ePxvne6Agjui5gKB/Byw/yqfyPKY2AXNZGS5G93aGyH8MqMlOQRMVMd0HCeT skOZ5TL8Q2bXyPQ4pDjGGazjNhE+/TXg724gFzhHYUe+7aKm0vXBASRWAblZ0kO5oCPbf/oZTi+J 2sBvM/O0p+zizleC4lU8fDj1CnRx+r4b/1Q/PZ89Va7rWgMQwRVmOudKQDTwvOnCUbNPgcPcQwzM gKHyQxUo+ql2ySTkvEFH/23XMww2BnTTFGX5/yI4Ky+1ZJcbGqc5H4PEZHeoI/d6LWFf332z7LMw LGdoi9FMQ5j9dQUvMi1YKAun15JQSJLyCT5k+MTObVKxHy/dols381l9r9ft9daDonlwd6LnuX+J u10=
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FBD-H0vjQjzF-lhdWpmCkUHZ6fY>
Subject: Re: [DNSOP] Fwd: HTTPSSVC record draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jul 2019 21:49:15 -0000

Erik,

In that case you should take a hard look at caching. The ESNI lookup needs to retrieve the name and the SNI key of the published server. It will remain valid as long as the key or the relationship between published and private does not change. If it is cached, the only required real time lookup is for the current address of the published server, which arguably may change more often than the ESNI data. So with proper caching, all that can be optimized.

-- Christian Huitema 

> On Jul 26, 2019, at 2:58 PM, Erik Nygren <erik+ietf@nygren.org> wrote:
> 
> The need to bootstrap ESNI (encrypted SNI) keys via DNS is the forcing function here for clients.  They need to do something new here to address that, and if that requires an additional lookup then there is opportunity if other problems can be solved at the same time as long as we don't slow down ESNI deployment or hurt performance over an ESNI-specific solution.
> 
>     Erik
> 
> 
>> On Fri, Jul 26, 2019 at 2:52 PM 神明達哉 <jinmei@wide.ad.jp> wrote:
>> At Tue, 23 Jul 2019 17:04:43 +0200,
>> Matthijs Mekking <matthijs@pletterpet.nl> wrote:
>> 
>> > But as soon as clients start querying for ANAME (and not address
>> > records) meaning it will chase the target itself, the DNS server
>> > actually does not have to do a target lookup anymore.
>> 
>> True, but my understanding is that the key difference is that the web
>> browser community (at least some big players of it) is willing to
>> support HTTPSSVC, thereby already overcoming the most difficult part
>> of the chicken-and-egg problem: how to deploy it in the client side.
>> I actually don't fully understand how HTTPSSVC has got the support
>> while ANAME hasn't though (perhaps because of the incentive of other
>> HTTPSSVC features like the alternative service form?).
>> 
>> Once a sufficient number of clients support it, the authoritative side
>> will have the incentive of deploying HTTPSSVC, and if it's
>> sufficiently deployed in the authoritative side, too, then we can
>> eventually hope to deprecate the practice of CNAME at apex.
>> 
>> Right now, I'm not sure how we can expect this to happen for ANAME
>> (except by waiting for perhaps several decades, until almost all
>> recursive servers natively support ANAME).
>> 
>> --
>> JINMEI, Tatuya
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email