IETF Logo Mail Archive

Re: [DNSOP] HTTPS and SVBC key names.

Ben Schwartz <bemasc@google.com> Mon, 20 July 2020 21:54 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E4243A0FDC for <dnsop@ietfa.amsl.com>; Mon, 20 Jul 2020 14:54:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5SHeGNZQDx1 for <dnsop@ietfa.amsl.com>; Mon, 20 Jul 2020 14:54:45 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C4533A0FDA for <dnsop@ietf.org>; Mon, 20 Jul 2020 14:54:45 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id z15so19231472wrl.8 for <dnsop@ietf.org>; Mon, 20 Jul 2020 14:54:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2voUQ52W6R8p686zdT7U23i8Ulme0CUPh8DLORgVSb4=; b=oiXYMnYp9PtOg2U4WWUkBon+dMz1MrfF7k6hqlLD9FEnlXQphdqQBLBIEDdTptJCbv xmtMQn689tzgUebQnWGB2GZkOxx/xAMWxB31KoyZp/JyO10QdIFeY11yApafsyE6IJjq i0+47hHp+j7znFRB/TDmPNUH1c8efl9FAsvZuohqmc+OhzM2k3/1d4gcAOlDhn3OxBq2 GI+bnzXzhesxhPwYYsAcZKY1z9M7RZNz6kcHMddcjEgXNAPBEXU76DF7HLU6hlS+Glna 8NH4RvfoaC18OFQvWCV8sNsyHaVVuSGEgP2HeAAKUq6RSEIwRmGcBqDihRGdwMwpPOUz Ujnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2voUQ52W6R8p686zdT7U23i8Ulme0CUPh8DLORgVSb4=; b=VNb96/ozNjEgREn72VK4wniROd63gKGKuyfZDAILOfVnsZyaAB4NYItU84PjGlI8d/ 82t0vFOq1cAUiVztMSAX5YajKOvu0JeqUdo4CnroZyVv0HVb5e6RJ3FWQzATZzsXFqkY sEhnTz0C4wNZOgGrI1OD92kBALauVP9uP5L1JzrcvUVftKVIB7q+mdMAt/8sJt0JfoAG j51UEzW80A+xR3i/ufrPginK6hGDqcrHgHUnW/AYqBpL7HhTcu61S+rQoQSaoE3jXA6a Cx6HwAqfaASSC/D2f1U8kGB8aT7UVpzILpUOvSQVc0KNCNoGgt5Ld78nbQGeYJOb952K /WCw==
X-Gm-Message-State: AOAM531oei6DXMzapAgIuTfSBDY/zkaDlNpyBR9KFb/Lbz1brMkdkDdC Vg0aO/QaOxMD09WAeQITq7dvYynDgPJIN8V2Ddyznw==
X-Google-Smtp-Source: ABdhPJxGb+1bfwvqxtKIJAtTeq2PgqoBWNobTETuKiIS4fXfbwPjnhzg/b7CunUog+nZr9/5rYAXmEK7dM952DnGa7s=
X-Received: by 2002:adf:e486:: with SMTP id i6mr9861704wrm.258.1595282083334; Mon, 20 Jul 2020 14:54:43 -0700 (PDT)
MIME-Version: 1.0
References: <23FA2BA0-43B9-49A3-B288-3ADFCE1D1DB1@isc.org> <CAHbrMsDOyTXyJydro8enSePy9COOfK7AVL6Pqv94YGAGhg41Hg@mail.gmail.com> <CAKC-DJiBw7vDr_KA1sb+ephuagRCT84f1B0PGXJptPiZTh2CSg@mail.gmail.com> <CAN6NTqxGLF0tZ17TX8jy2YWPf=qHhW93=fKETJ4kScJbQUUgxw@mail.gmail.com> <CAKC-DJiMngJonCp2EPrHTWMHwV0VAGquf733YcTZ9JSTFtwAhA@mail.gmail.com> <CAH1iCipbR9D_Tqc4dW5zARpEgjZ=-b3d6ZywPzo0=jfBedppYw@mail.gmail.com> <CAKW6Ri7K7efEj81nKJq7W0MKyn9rDOL7bLt-zVUokodVfrjAwA@mail.gmail.com> <CAHbrMsC-5wvxsmrzHnrnfUZOG1wQsGmEF2m2jMt4a5vieK7Nyg@mail.gmail.com> <CAKW6Ri7aF0knx2SFJgx4OxxVJfeNWYJ3pJBmxXQH+UMZ0P4_Rw@mail.gmail.com> <CAHbrMsBTnFmJdj9KYfzGajKmbWJ1+XF_f8BGMPnLy=MFAhCygg@mail.gmail.com> <CAKW6Ri7Cmt43uH_yV0Hjz64b3PynR9WS3NgLf5YZ1K9kwEzXFg@mail.gmail.com>
In-Reply-To: <CAKW6Ri7Cmt43uH_yV0Hjz64b3PynR9WS3NgLf5YZ1K9kwEzXFg@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 20 Jul 2020 17:54:31 -0400
Message-ID: <CAHbrMsC2rpKL8WA-bwHMGaiNoC-NGNY3JVu7SAShFxPWBOU9kA@mail.gmail.com>
To: Dick Franks <rwfranks@gmail.com>
Cc: dnsop WG <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000ebc2a405aae68d71"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FiHrt4O0H2ZgbLgbX_j1UPcOC4Q>
Subject: Re: [DNSOP] HTTPS and SVBC key names.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2020 21:54:47 -0000

On Mon, Jul 20, 2020 at 2:39 PM Dick Franks <rwfranks@gmail.com> wrote:

>
> On Thu, 16 Jul 2020 at 21:17, Ben Schwartz <bemasc@google.com> wrote:
>
>
>> The presentation format is optimized for humans and the wire format is
>>>> optimized for machines. In particular, when using the named keys it's not
>>>> obvious what the numeric ordering is, so keeping them in order when editing
>>>> a zone file by hand would be hard.
>>>>
>>>
>   blog.cloudflare.com. 300 IN HTTPS ( 1  .
>
> key1=\005\104\051\045\050\057\005\104\051\045\050\056\005\104\051\045\050\055\002\104\050
>      key4=\104\018\026\046\104\018\027\046
>
> key6=\038\006\071\000\000\000\000\000\000\000\000\000\104\018\026\046\038\006\071\000\000\000\000\000\000\000\000\000\104\018\027\046
>      )
>
> "optimized" is not the word which springs to this human's mind.
>

The unknown-key format is designed more for authoring than reading.  As an
author, it works somewhat better than your example.  For instance, your
key1 could be written as

key1=\005h3-29\005h3-28\005h3-27\002h2

That seems more intelligible than hex or base64.

Also, your key4 here pretty clearly shows the IPv4 addresses 104.18.26.46
and 104.18.27.46.

In short, the unknown-key format is fairly usable for authoring fields
whose values are plain text or numeric octets, since a human author can
choose escape codes or ASCII characters as appropriate.  A renderer (by
definition) has no idea what the contents mean, so it can work well for
plain text or numeric octets but not both.

IMHO, tarted up RFC3597 format is easier to read.
>

With the addition of comments for the recognized keys and fields, I think
you're probably right.  However, when authoring a zone file I would hate to
have to use RFC 3597 hex for the whole record just to add one key that my
parser doesn't support yet.  Also, if most future keys turn out to have
ASCII plaintext values (e.g. URLs), an unknown key renderer that uses ASCII
symbols where possible might turn out to work quite well.

Example:
>
>     use Net::DNS;
>
>     my $rr = new Net::DNS::RR <<'END';
>     example.net.        300     IN      HTTPS   1 target.example.net.
>         mandatory=key0,key1,alpn,no-default-alpn,key99  ; with
> duplications and other sins
>         alpn=h3-29,h3-28,h3-27,h2
>         no-default-alpn
>         port=1234
>         ipv4hint=192.0.2.1,192.0.2.2
>         echconfig=base64string
>         ipv6hint=2001:DB8::1,2001:DB8::2
>     END
>
>     $rr->print;
>
> produces:
>
>     example.net.    300     IN      HTTPS   ( \# 126 0001
>         06746172676574076578616d706c6503 6e657400 ; target.example.net.
>         0000 0004 00010002
>         0001 0015 0568332d32390568332d32380568332d 3237026832
> <(323)%20702-6832>
>         0002 0000
>         0003 0002 04d2
>         0004 0008 c0000201c0000202
>         0005 0009 6dab1eeb8b2dae29e0
>         0006 0020 20010db8000000000000000000000001
> 20010db8000000000000000000000002
>         )
>
> Observations and complaints gratefully received.
>
> --Dick
>
>> _______________________________________________
>>>>>>
>>>>> DNSOP mailing list
>>>>> DNSOP@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>>>
>>>>

v2.23.0 | Report a Bug | By Email