Re: [DNSOP] Fwd: HTTPSSVC record draft
Erik Nygren <erik+ietf@nygren.org> Tue, 09 July 2019 01:30 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 938BF1202AD for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2019 18:30:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.106
X-Spam-Level:
X-Spam-Status: No, score=-0.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.247, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xQB_kykAbR6b for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2019 18:30:15 -0700 (PDT)
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 567E912023F for <dnsop@ietf.org>; Mon, 8 Jul 2019 18:30:15 -0700 (PDT)
Received: by mail-wr1-f48.google.com with SMTP id p13so19101938wru.10 for <dnsop@ietf.org>; Mon, 08 Jul 2019 18:30:15 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vLziU17mX3HE0qNdwQrzyWtJCeJBs5vZBmFHUvj/zIE=; b=ghy0+6t3S9i4esnMlg3iawdxW2PYq2Md+AfWG9xrw9L0ZIQeoVBetY09bXHRyTKYZz IdsxrxV34UT9HstcLUmsdX2DMrfuqJXkiOpWOeSw4NTYHWGgY5Q/W1JMqFoRVbxSTyUH a0aYGlz2mdmrEvQAXPipgf/SyOSqy/eaPubp4bBzmjZ/xVHxT9mbdU3+IYZE2fbuzadi n4TRyzlznFxehHHwNC4CFEZOBydo/pB1F2oFc+eJLzz18rOhoAxCYCyhyJgEsWWY1WPC Z52udmyagyPcrJ3zXV7z6r1rSeaByU1jhInGy7XWMqn8/0e4sKu8VXJMpGlgmr/f9RMV PhOw==
X-Gm-Message-State: APjAAAXK5IYjNY2fK+CTY27sfZk0Hsl5wVAkKFS+pUqqEKsg0BoYv62r NYvq8MbpXYJA9kV4j1zdMD9iCKKHtIfoD2xY4P4=
X-Google-Smtp-Source: APXvYqwgEAFtZ1WpAuK+A817QtncWKm1YndKFscax5rihOK2+cAclXVtxCDrrMSbTAyl4phIa8VHICBS78VKg+NFimI=
X-Received: by 2002:a5d:43c9:: with SMTP id v9mr20904115wrr.70.1562635813408; Mon, 08 Jul 2019 18:30:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAKC-DJikByP+wX-GoD6ntpUWTbr6ioJzB4i8nGQL4NtPWePL3g@mail.gmail.com> <ae353a56-efe5-ce5d-1786-465fc0195071@bellis.me.uk> <CAKC-DJhaZoC2eNH8kP80Dfe-CnsOnRg6A6XDD7pWhwYdx8x7tA@mail.gmail.com> <CAH1iCiprPWEV2Ts3XOa3-mZRR_Y9zkQMMQRDLUsnxDp3rC0Qmw@mail.gmail.com>
In-Reply-To: <CAH1iCiprPWEV2Ts3XOa3-mZRR_Y9zkQMMQRDLUsnxDp3rC0Qmw@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Mon, 08 Jul 2019 21:30:00 -0400
Message-ID: <CAKC-DJhskccWVxXnApE23Q5-UTQui712f66kVjXHDuDaz_af=w@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Ray Bellis <ray@bellis.me.uk>, IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009253c6058d3580b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Kz-hXAp3yKVsDZiFgxdSXC6z7nQ>
Subject: Re: [DNSOP] Fwd: HTTPSSVC record draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 01:30:19 -0000
Thanks for the feedback. I'll add the DNAME clarification in the next version, as well as better explain the FQDN separation motivation. The alt-svc ALPN values come from rfc7838 (Alt-Svc) and rfc7301 (ALPN). https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids (The "h3" = HTTP/3 over QUIC is not yet in the registry as it is still-in-progress. It was actually "hq" initially for Google QUIC. See https://tools.ietf.org/html/draft-ietf-quic-http-20#section-2.1 for some details from the active QUIC draft.) Erik On Mon, Jul 8, 2019 at 6:40 PM Brian Dickson <brian.peter.dickson@gmail.com> wrote: > Hi, Erik, > > One minor issue is that wherever CNAME is referenced, you probably want to > also include a reference to DNAME, including any implied or explicit > chaining of CNAMEs (which could be sequences of CNAME and/or DNAME modulo > their respective behavior.) > > It might be a little clearer if the list of alt-svc values (h2, h3, etc) > that can occur were to be listed in the document. In particular, the > association between h3 and QUIC is inferred but not explicitly called out > (at least not that I noticed.) > > You might also want to explain the motivation for keeping the FQDN > separate from the alt-svc parameters (to make it trivial to parse, and thus > to do DNS substitutions like CNAME/DNAME). It is there, just not as > up-front as it could be. > > Otherwise, I think many of us would very much love to see this > implemented, as much of ANAME is fundamentally incapable of meeting the > intended goals, which this does very nicely. > > Brian > > On Mon, Jul 8, 2019 at 2:20 PM Erik Nygren <erik+ietf@nygren.org> wrote: > >> Ray, thanks for introducing this to dnsop! >> I've published a -03 with some of the feedback received so far: >> https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-03 >> >> For DNSOP folks, and ANAME proponents in-particular, >> I/we are especially interested in understanding if this would address >> enough of the customer use-cases driving ANAME were major >> browsers to implement support for HTTPSSVC, or would any >> limitations here cause problems there? >> >> I think the ideal would be for this to simultaneously solve >> enough of the ANAME use-cases (to ideally obviate the need for ANAME) >> and to also solve the other problems that clients are interested in >> solving >> (ESNI via DNS, H/3 via DNS, etc) to get this broadly deployed at least >> for the "web browser" use-case. >> >> Most significant changes from -01 to -03 based on feedback: >> * Remove the redundant length fields from the wire format. >> * Define a SvcDomainName of "." for SvcRecordType=1 as being the >> HTTPSSVC RRNAME. >> * Switch from 302 to 307 redirect for HSTS equivalent. >> but there also some added examples and other clarifications based on >> feedback received. >> >> While this is still an individual draft, we have been tracking it here: >> https://github.com/MikeBishop/dns-alt-svc >> but as always, commentary on the IETF lists is generally preferable. >> >> Erik >> >> >> >> >> On Mon, Jul 8, 2019 at 5:01 AM Ray Bellis <ray@bellis.me.uk> wrote: >> >>> For those not paying attention to the HTTP-bis working group, this DNS >>> RR was proposed there last week. >>> >>> It appears to subsume the ALT-SVC proposal and also covers the use case >>> I had in mind with my HTTP Record draft (i.e. CNAME at the apex). >>> >>> Given that it has someone from at least major browser vendor supporting >>> it there's some hope that this will actually be implemented by them. It >>> therefore seems my draft is probably no longer required. Hopefully >>> ANAME will follow it the same way ;-) >>> >>> Ray >>> >>> -------- Forwarded Message -------- >>> Subject: HTTPSSVC record draft >>> Resent-Date: Wed, 03 Jul 2019 18:46:25 +0000 >>> Resent-From: ietf-http-wg@w3.org >>> Date: Wed, 3 Jul 2019 14:45:47 -0400 >>> From: Erik Nygren <erik+ietf@nygren.org> >>> To: ietf-http-wg@w3.org Group <ietf-http-wg@w3.org>, Mike Bishop >>> <mbishop@evequefou.be>, Erik Nygren <erik+ietf@nygren.org>, Benjamin >>> Schwartz <bemasc@google.com>, Erik Nygren - Work <nygren@akamai.com> >>> >>> >>> >>> >>> Ben, Mike, and I have submitted the first version of a proposal for an >>> "HTTPSSVC" DNS record. >>> >>> TL;DR: This attempts to address a number of problems (ESNI, QUIC >>> bootstrapping, HTTP-to-HTTPS redirection via DNS, SRV-equivalent for >>> HTTP, etc) in a holistic manner through a new extensible DNS record, >>> rather than in a piecemeal fashion. It is based on some previous >>> proposals such as "Alt-Svc in the DNS" and "Service Bindings" but takes >>> into account feedback received in DNSOP and elsewhere. >>> >>> Feedback is most welcome and we're looking forward to discussing with >>> people in Montreal. >>> >>> Draft link: >>> >>> https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-01 >>> >>> >>> >>> From the abstract: >>> >>> This document specifies an "HTTPSSVC" DNS resource record type to >>> facilitate the lookup of information needed to make connections for >>> HTTPS URIs. The HTTPSSVC DNS RR mechanism allows an HTTPS origin >>> hostname to be served from multiple network services, each with >>> associated parameters (such as transport protocol and keying material >>> for encrypting TLS SNI). It also provides a solution for the inability >>> of the DNS to allow a CNAME to be placed at the apex of a domain name. >>> Finally, it provides a way to indicate that the origin supports HTTPS >>> without having to resort to redirects, allowing clients to remove HTTP >>> from the bootstrapping process. >>> >>> By allowing this information to be bootstrapped in the DNS, it allows >>> for clients to learn of alternative services before their first contact >>> with the origin. This arrangement offers potential benefits to both >>> performance and privacy. >>> >>> This proposal is inspired by and based on recent DNS usage proposals >>> such as ALTSVC, ANAME, and ESNIKEYS (as well as long standing desires to >>> have SRV or a functional equivalent implemented for HTTP). These >>> proposals each provide an important function but are potentially >>> incompatible with each other, such as when an origin is load-balanced >>> across multiple hosting providers (multi-CDN). Furthermore, these each >>> add potential cases for adding additional record lookups in-addition to >>> AAAA/A lookups. This design attempts to provide a unified framework >>> that encompasses the key functionality of these proposals, as well as >>> providing some extensibility for addressing similar future challenges. >>> >>> -- >>> >>> Some likely FAQs (with some others listed in an appendix): >>> >>> Q: Why this is HTTP-specific? >>> A: This is because every protocol has different bootstrap requirements. >>> This draft is concerned with improving the efficiency and security of >>> bootstrapping HTTPS connections. This proposal does offer room for >>> non-HTTPS protocols, but the nature of DNS requires underscore prefixing >>> to support protocol-keyed answers within a single RRTYPE. It's also >>> unlikely that a single RR format would be the ideal bootstrap mechanism >>> for every protocol, and there's no reason that multiple protocols should >>> have to share an RRTYPE. >>> Q: Why is ESNI addressed directly? >>> A: This helps make a major motivation of this draft more clear. >>> Splitting out those sections to a separate-but-associated "alt-svc >>> attribute for ESNI keys" draft might make sense, but keeping it here >>> helps work through some of the issues together. >>> >>> Q: Why does this try to address the HSTS case? >>> A: This is a unique opportunity to fix HTTPS bootstrap and avoid >>> providing insecure defaults. We'd originally proposed a separate >>> Alt-Svc attribute to indicate hsts-style behavior, but then realized >>> that it would make sense to push on that as the default here. >>> >>> Best, Erik >>> >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop >>> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> >
- [DNSOP] Fwd: HTTPSSVC record draft Ray Bellis
- Re: [DNSOP] Fwd: HTTPSSVC record draft Erik Nygren
- Re: [DNSOP] Fwd: HTTPSSVC record draft Ray Bellis
- Re: [DNSOP] Fwd: HTTPSSVC record draft Brian Dickson
- Re: [DNSOP] Fwd: HTTPSSVC record draft Erik Nygren
- Re: [DNSOP] Fwd: HTTPSSVC record draft Tim Wicinski
- Re: [DNSOP] Fwd: HTTPSSVC record draft Ben Schwartz
- Re: [DNSOP] Fwd: HTTPSSVC record draft Mark Andrews
- Re: [DNSOP] Fwd: HTTPSSVC record draft Paul Vixie
- Re: [DNSOP] Fwd: HTTPSSVC record draft Joe Abley
- Re: [DNSOP] Fwd: HTTPSSVC record draft Paul Vixie
- Re: [DNSOP] Fwd: HTTPSSVC record draft Tim Wicinski
- Re: [DNSOP] Fwd: HTTPSSVC record draft Matthijs Mekking
- Re: [DNSOP] Fwd: HTTPSSVC record draft 神明達哉
- Re: [DNSOP] Fwd: HTTPSSVC record draft Erik Nygren
- Re: [DNSOP] Fwd: HTTPSSVC record draft Christian Huitema