Re: [DNSOP] status of the aname and svcb/httpsvc drafts
Erik Nygren <erik+ietf@nygren.org> Fri, 21 February 2020 17:29 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13C2F12023E for <dnsop@ietfa.amsl.com>; Fri, 21 Feb 2020 09:29:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ElWP8yn9Zl3X for <dnsop@ietfa.amsl.com>; Fri, 21 Feb 2020 09:29:57 -0800 (PST)
Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A473120147 for <dnsop@ietf.org>; Fri, 21 Feb 2020 09:29:57 -0800 (PST)
Received: by mail-wm1-f53.google.com with SMTP id b17so2759918wmb.0 for <dnsop@ietf.org>; Fri, 21 Feb 2020 09:29:56 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rZKHqVMDpY48y5cMeVUMTua1LFnbfRYFCIvva8sPOQM=; b=gULglHqueHyXBTYk2cim5+A7LeP54MvB0PpZKDE7UnPFbsCtbtEdraiwmq49+KrMDB 0rjxexo314pV/9e5SdmIJu/yrF6/mFupXA67z+cc5IoGt4/w5bzIOz8bT9gpZK0HpzOe aheXEseUdcF1MXcX/jKbRmuf6dMGUVKNsA6dgCEC/dVdhZFvJ/nLYqSMwiUHEr/Ag/e6 I0O2Z3+ydbmlm9bFn+Hf2F0UK/QAer+h4QqiRH00KYkQdxm+xN15x4BDbf5lDjqmPWl3 tvWA/uDUbUV14UJMnrqgRyr8IsBcJJWGdqoYXDbyFe22KsBtwsOucacr2Y/gW4OrJZxY e9eg==
X-Gm-Message-State: APjAAAXXd5yfilPyqh8Q4T2Q6D+KxQ1j6l09TWkTSbndZptBD2y5akbV oSFxlvke6GM4I82BB6NMXSB8LHYbOnZXUersfKOULRJF
X-Google-Smtp-Source: APXvYqyveQPQXZmbHYVc6b3hwg1fCfUPfk+kB36gKLBvnHItK8LgWKyr7bqj+H+geOkyYYbKxjpK9SPdBEdCwJ9nHJg=
X-Received: by 2002:a05:600c:294a:: with SMTP id n10mr5028683wmd.11.1582306195269; Fri, 21 Feb 2020 09:29:55 -0800 (PST)
MIME-Version: 1.0
References: <b34f1b0d-fa65-23d4-1b2b-761b965a2aae@knipp.de> <CAG8jCEzO7zrfL5G5CzdJ=c5wipJgqqHfyeA-a3-QjquoyPYgvg@mail.gmail.com> <3ead518d-f166-1c36-c3e9-18aeb355d160@pletterpet.nl> <57323a0d-6d33-ceef-1e99-58d61eff16dd@knipp.de> <041cf7a9-be2b-18bd-7f76-edbae5cd1e4b@NLnetLabs.nl> <57505938-340A-4594-A283-EF670BD1B47E@isoc.org> <48d82bb1-81ff-6e25-b060-5a2b9ac7791f@knipp.de> <581e6821-0114-5647-5733-e5c7b6be332e@nic.cz> <15ed82d1-6923-7813-4077-dd812eeb2410@knipp.de> <80699e28-45a6-835e-42ce-ff72ff95f648@nic.cz>
In-Reply-To: <80699e28-45a6-835e-42ce-ff72ff95f648@nic.cz>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Fri, 21 Feb 2020 12:29:41 -0500
Message-ID: <CAKC-DJiHzXKzLNgrvPj_YSbiU89yidZL4=7oDGvs9GjA0cVMwQ@mail.gmail.com>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Cc: Klaus Malorny <Klaus.Malorny@knipp.de>, dnsop WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b1eeab059f195eae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Nst-9aWMQaGh2j2Lv6q7lLV08vY>
Subject: Re: [DNSOP] status of the aname and svcb/httpsvc drafts
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2020 17:29:59 -0000
On Fri, Feb 21, 2020 at 9:53 AM Vladimír Čunát <vladimir.cunat+ietf@nic.cz> wrote: > In this case however, I personally believe it's much better design *not* > to put the link-following work on authoritative servers (or their > provisioning) but further down the chain (resolvers and/or clients). > Well, I suppose I don't really want to open a long thread around this > topic again :-) > This is my perspective as well. Some of the "proprietary CNAME flattening" approaches done by CDNs are proprietary not because it wouldn't better to standardize but because the design and implementation constraints get insanely complex and not what we wanting to put into authoritatives+recursives. See this mail for some more context: https://www.mail-archive.com/dnsop@ietf.org/msg20734.html The HTTPSSVC record will help for new clients and it's hopeful that major clients will have good incentives to implement it. Some of the caveats (to not over-sell this approach and to set expectations appropriately): 1) As mentioned, this only helps new clients. (There is nothing preventing API clients from also implementing this, and they may have benefits as well.) But this means the A/AAAA fallback records may still be needed for some significant time for legacy clients. Perhaps if traffic levels from those get small enough that a complementary less-performant ANAME solution might be easier. 2) Some major web clients have indicated that they may only support and query HTTPSSVC when received via a secured transport such as DoH, at least initially. 3) The HTTPSSVC record also indicates that the site is only available over HTTPS, so won't be applicable for insecure HTTP-only sites. Hopefully not a problem with HTTPS becoming the new default for most sites. It also will help performance for the common zone apex cases, especially where a user enters "example.com" into a browser. Right now browsers default to http (port 80) and (most now?) servers then redirect to https port 443. So a HTTPS redirect is often in the loop for some zone apex flows, and this removes that by signalling the use of HTTPS. One option might be to shelve ANAME for the time-being and then return back to it in a few years if it still seems needed at that point? Erik
- [DNSOP] status of the aname and svcb/httpsvc draf… Klaus Malorny
- Re: [DNSOP] status of the aname and svcb/httpsvc … Olli Vanhoja
- Re: [DNSOP] status of the aname and svcb/httpsvc … Eric Orth
- Re: [DNSOP] status of the aname and svcb/httpsvc … Tommy Pauly
- Re: [DNSOP] status of the aname and svcb/httpsvc … Rob Sayre
- Re: [DNSOP] status of the aname and svcb/httpsvc … Tommy Pauly
- Re: [DNSOP] status of the aname and svcb/httpsvc … Warren Kumari
- Re: [DNSOP] status of the aname and svcb/httpsvc … Erik Kline
- Re: [DNSOP] status of the aname and svcb/httpsvc … Erik Nygren
- Re: [DNSOP] status of the aname and svcb/httpsvc … Matthijs Mekking
- Re: [DNSOP] status of the aname and svcb/httpsvc … Klaus Malorny
- Re: [DNSOP] status of the aname and svcb/httpsvc … Shane Kerr
- Re: [DNSOP] status of the aname and svcb/httpsvc … Matthijs Mekking
- Re: [DNSOP] status of the aname and svcb/httpsvc … Evan Hunt
- Re: [DNSOP] status of the aname and svcb/httpsvc … Paul Vixie
- Re: [DNSOP] status of the aname and svcb/httpsvc … Benno Overeinder
- Re: [DNSOP] status of the aname and svcb/httpsvc … Klaus Malorny
- Re: [DNSOP] status of the aname and svcb/httpsvc … Vladimír Čunát
- Re: [DNSOP] status of the aname and svcb/httpsvc … Dan York
- Re: [DNSOP] status of the aname and svcb/httpsvc … Klaus Malorny
- Re: [DNSOP] status of the aname and svcb/httpsvc … Tim Wicinski
- Re: [DNSOP] status of the aname and svcb/httpsvc … Vladimír Čunát
- Re: [DNSOP] status of the aname and svcb/httpsvc … Klaus Malorny
- Re: [DNSOP] status of the aname and svcb/httpsvc … Vladimír Čunát
- Re: [DNSOP] status of the aname and svcb/httpsvc … Erik Nygren
- Re: [DNSOP] status of the aname and svcb/httpsvc … Ben Schwartz
- Re: [DNSOP] status of the aname and svcb/httpsvc … Brian Dickson
- Re: [DNSOP] status of the aname and svcb/httpsvc … Tony Finch
- Re: [DNSOP] status of the aname and svcb/httpsvc … Brian Dickson
- Re: [DNSOP] status of the aname and svcb/httpsvc … Bob Harold
- Re: [DNSOP] status of the aname and svcb/httpsvc … Tony Finch
- Re: [DNSOP] status of the aname and svcb/httpsvc … Andrew M. Hettinger
- Re: [DNSOP] status of the aname and svcb/httpsvc … Joe Abley
- Re: [DNSOP] status of the aname and svcb/httpsvc … Joe Abley
- Re: [DNSOP] status of the aname and svcb/httpsvc … Vladimír Čunát
- Re: [DNSOP] status of the aname and svcb/httpsvc … Tony Finch
- Re: [DNSOP] status of the aname and svcb/httpsvc … Evan Hunt
- Re: [DNSOP] status of the aname and svcb/httpsvc … Olli Vanhoja
- Re: [DNSOP] status of the aname and svcb/httpsvc … Lanlan Pan
- Re: [DNSOP] status of the aname and svcb/httpsvc … Paul Vixie
- Re: [DNSOP] status of the aname and svcb/httpsvc … Erik Nygren
- Re: [DNSOP] status of the aname and svcb/httpsvc … Andrew M. Hettinger
- Re: [DNSOP] status of the aname and svcb/httpsvc … Dan York
- Re: [DNSOP] status of the aname and svcb/httpsvc … Joe Abley
- Re: [DNSOP] status of the aname and svcb/httpsvc … Lanlan Pan
- Re: [DNSOP] status of the aname and svcb/httpsvc … Vladimír Čunát
- Re: [DNSOP] status of the aname and svcb/httpsvc … Vladimír Čunát
- Re: [DNSOP] status of the aname and svcb/httpsvc … Tony Finch
- Re: [DNSOP] status of the aname and svcb/httpsvc … Anthony Eden
- Re: [DNSOP] status of the aname and svcb/httpsvc … Matthijs Mekking
- Re: [DNSOP] [External] status of the aname and sv… Andrew M. Hettinger
- Re: [DNSOP] status of the aname and svcb/httpsvc … Tim Wicinski
- Re: [DNSOP] status of the aname and svcb/httpsvc … Tony Finch