IETF Logo Mail Archive

Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS

Jared Mauch <jared@puck.nether.net> Thu, 23 July 2020 11:52 UTC

Return-Path: <jared@puck.nether.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 178E83A07F4 for <dnsop@ietfa.amsl.com>; Thu, 23 Jul 2020 04:52:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wbOIWxVdqBmY for <dnsop@ietfa.amsl.com>; Thu, 23 Jul 2020 04:52:57 -0700 (PDT)
Received: from puck.nether.net (puck.nether.net [204.42.254.5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19BFF3A07F0 for <dnsop@ietf.org>; Thu, 23 Jul 2020 04:52:57 -0700 (PDT)
Received: from [10.0.0.155] (c-68-49-104-93.hsd1.mi.comcast.net [68.49.104.93]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by puck.nether.net (Postfix) with ESMTPSA id 1DDE0540D53; Thu, 23 Jul 2020 07:52:55 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <98ACE304-0B25-446D-845F-672A97F0A014@isc.org>
Date: Thu, 23 Jul 2020 07:52:53 -0400
Cc: "Wellington, Brian" <bwelling@akamai.com>, Tim Wicinski <tjw.ietf@gmail.com>, "dnsop@ietf.org" <dnsop@ietf.org>, Alessandro Ghedini <alessandro@ghedini.me>, Tommy Pauly <tpauly@apple.com>
Message-Id: <58D1DA5E-D716-49B9-B70B-E5B737697412@puck.nether.net>
References: <98ACE304-0B25-446D-845F-672A97F0A014@isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: iPhone Mail (17G68)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/MxopBLtUOhNFFNxv2AwEx5CeHVQ>
Subject: Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 11:52:59 -0000

Exactly. Mandatory is required except when it's not. I'll think of some improved text. 

Sent from my iCar

> On Jul 22, 2020, at 10:09 PM, Mark Andrews <marka@isc.org> wrote:
> 
> mandatory is described thus:
> 
> "In a ServiceMode RR, a SvcParamKey is considered "mandatory" if the RR will not 
> function correctly for clients that ignore this SvcParamKey. Each SVCB protocol
> mapping SHOULD specify a set of keys that are "automatically mandatory", i.e. 
> mandatory if they are present in an RR. The SvcParamKey "mandatory" is used to 
> indicate any mandatory keys for this RR, in addition to any automatically 
> mandatory keys that are present.
> 
> A ServiceMode RR is considered "compatible" with a client if the client implements 
> support for all its mandatory keys. If the SVCB RRSet contains no compatible RRs, 
> the client will generally act as if the RRSet is empty.
> 
> In presentation format, "mandatory" contains a list of one or more valid SvcParamKeys, 
> either by their registered name or in the unknown-key format ({{presentation}}). Keys 
> MAY appear in any order, but MUST NOT appear more than once. Any listed keys MUST also 
> appear in the SvcParams. To enable simpler parsing, this SvcParam MUST NOT contain 
> escape sequences.
> 
> For example, the following is a valid list of SvcParams:
> 
> echconfig=... key65333=ex1 key65444=ex2 mandatory=key65444,echconfig
> 
> In wire format, the keys are represented by their numeric values in network byte order, 
> concatenated in ascending order.
> 
> This SvcParamKey is always automatically mandatory, and MUST NOT appear in its own 
> value list. Other automatically mandatory keys SHOULD NOT appear in the list either. 
> (Including them wastes space and otherwise has no effect.)”
> 
> I don’t see how, after reading that, one can conclude that all ServiceMode records
> MUST include the key “mandatory”.
> 
> Mark
> 
>> On 23 Jul 2020, at 11:47, Wellington, Brian <bwelling@akamai.com> wrote:
>> 
>> If your interpretation of this comes down to “mandatory is optional”, then that shows how confusing this is.
>> 
>> Brian
>> 
>>>> On Jul 22, 2020, at 6:45 PM, Mark Andrews <marka@isc.org> wrote:
>>> 
>>> This is a case of reading a sentence out of context.
>>> 
>>> The first paragraph describing “mandatory” ends with:
>>> 
>>> The SvcParamKey "mandatory" is used to indicate any mandatory keys for this RR, in addition to any automatically mandatory keys that are present.
>>> 
>>> It also has:
>>> 
>>> In presentation format, "mandatory" contains a list of one or more valid SvcParamKeys,
>>> 
>>> I think there is already plenty of context to show that mandatory is optional.
>>> 
>>>> On 23 Jul 2020, at 11:31, Tim Wicinski <tjw.ietf@gmail.com> wrote:
>>>> 
>>>> Brian
>>>> 
>>>> I agree on clarity, and their git repo has been more recently updated. 
>>>> I've been poking the authors on some better examples in the spec as well. 
>>>> 
>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_MikeBishop_dns-2Dalt-2Dsvc&d=DwIFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=KbZDXTLvNOxENtFWCMdggAhJaRvABzLIoje-QspoFCM&s=NAnMW9xGWQVnYnS9I88YowKyWxHMrEM3ACuElx9IB5Y&e= 
>>>> 
>>>> 
>>>> On Wed, Jul 22, 2020 at 9:20 PM Wellington, Brian <bwelling=40akamai.com@dmarc.ietf.org> wrote:
>>>> ok.  So, what this means is that keys listed in the “mandatory” parameter must be included as parameters, and are required to be understood by clients.  The set of “automatically mandatory” keys are required to be understood by clients, but are not required in the RR.
>>>> 
>>>> I’m a native English speaker, and have been working with DNS for over 20 years.  If I’m having trouble understanding this, perhaps the spec should be a bit clearer.
>>>> 
>>>> Brian
>>>> 
>>>>> On Jul 22, 2020, at 5:56 PM, Tommy Pauly <tpauly=40apple.com@dmarc..ietf.org> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Jul 22, 2020, at 5:46 PM, Wellington, Brian <bwelling=40akamai.com@dmarc.ietf.org> wrote:
>>>>>> 
>>>>>> I attempted to start implementing support for SVCB and HTTPS, and discovered that the data being served by Cloudflare does not conform to the current spec.
>>>>>> 
>>>>>> Assuming my decoder is correct, the response below decodes to:
>>>>>> 
>>>>>> 1 . alpn=h3-29,h3-28,h3-27,h2 echconfig=aBIaLmgSGy4= ipv6hint=2606:4700::6812:1a2e,2606:4700::6812:1b2e
>>>>>> 
>>>>>> and does not include a “mandatory” parameter.  But section 6.5 of draft-ietf-dnsop-svcb-https, which is talking about the “mandatory” key, says:
>>>>>> 
>>>>>> This SvcParamKey is always automatically mandatory,
>>>>>> 
>>>>>> which implies that there MUST be a “mandatory” parameter.  Is this an oversight in the Cloudflare implementation, or is the Cloudflare implementation not implementing the current version?
>>>>> 
>>>>> The Cloudflare record does conform correctly.
>>>>> 
>>>>> The “mandatory” key does NOT need to be included. "automatically mandatory” keys do not need to be included. Mandatory just indicates which non-automatically-mandatory keys included in the record are required to be understood by clients, or else clients should reject them.
>>>>> 
>>>>> Thanks,
>>>>> Tommy
>>>>> 
>>>>>> 
>>>>>> Thanks,
>>>>>> Brian
>>>>>> 
>>>>>>> On Jul 16, 2020, at 8:13 AM, Alessandro Ghedini <alessandro@ghedini.me> wrote:
>>>>>>> 
>>>>>>> Hello,
>>>>>>> 
>>>>>>> Just a quick note that we have started serving "HTTPS" DNS records from
>>>>>>> Cloudflare's authoritative DNS servers. Our main use-case right now is
>>>>>>> advertising HTTP/3 support for those customers that enabled that feature (in
>>>>>>> addition to using Alt-Svc HTTP headers).
>>>>>>> 
>>>>>>> If anyone is interested in trying this out you can query pretty much all domains
>>>>>>> served by Cloudflare DNS for which we terminate HTTP.
>>>>>>> 
>>>>>>> For example:
>>>>>>> 
>>>>>>> % dig blog.cloudflare.com type65
>>>>>>> 
>>>>>>> ; <<>> DiG 9.16.4-Debian <<>> blog.cloudflare.com type65
>>>>>>> ;; global options: +cmd
>>>>>>> ;; Got answer:
>>>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17291
>>>>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>>>>>> 
>>>>>>> ;; OPT PSEUDOSECTION:
>>>>>>> ; EDNS: version: 0, flags:; udp: 4096
>>>>>>> ;; QUESTION SECTION:
>>>>>>> ;blog.cloudflare.com.
>>>>>>> IN
>>>>>>> TYPE65
>>>>>>> 
>>>>>>> ;; ANSWER SECTION:
>>>>>>> blog.cloudflare.com.
>>>>>>> 300 IN
>>>>>>> TYPE65 \# 76 000100000100150568332D32390568332D32380568332D3237026832 0004000868121A2E68121B2E00060020260647000000000000000000 68121A2E26064700000000000000000068121B2E
>>>>>>> 
>>>>>>> Cheers
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> DNSOP mailing list
>>>>>>> DNSOP@ietf.org
>>>>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf..org_mailman_listinfo_dnsop&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=Ei0lUqjTt2OhRnRqJeO1XDCHQqnH1FdINDMcPEhCC1g&s=WQn55KFIZ5LGfsj-QGNSS31WGhpI-GuXpJEmhibwNuo&e= 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> DNSOP mailing list
>>>>>> DNSOP@ietf.org
>>>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwIFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=KbZDXTLvNOxENtFWCMdggAhJaRvABzLIoje-QspoFCM&s=T4xEg4ZgSU98oALn8LAXlkcHcJsPFbcGLuBwIOLAef0&e= 
>>>> 
>>>> _______________________________________________
>>>> DNSOP mailing list
>>>> DNSOP@ietf.org
>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwIFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=KbZDXTLvNOxENtFWCMdggAhJaRvABzLIoje-QspoFCM&s=T4xEg4ZgSU98oALn8LAXlkcHcJsPFbcGLuBwIOLAef0&e= 
>>>> _______________________________________________
>>>> DNSOP mailing list
>>>> DNSOP@ietf.org
>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwIFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=KbZDXTLvNOxENtFWCMdggAhJaRvABzLIoje-QspoFCM&s=T4xEg4ZgSU98oALn8LAXlkcHcJsPFbcGLuBwIOLAef0&e= 
>>> 
>>> -- 
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email