IETF Logo Mail Archive

Re: [DNSOP] Comments on draft-ietf-dnsop-svcb-httpssvc-02

Ben Schwartz <bemasc@google.com> Thu, 11 June 2020 18:48 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10C363A0DCD for <dnsop@ietfa.amsl.com>; Thu, 11 Jun 2020 11:48:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rW6bXPqlLW8W for <dnsop@ietfa.amsl.com>; Thu, 11 Jun 2020 11:48:33 -0700 (PDT)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B68C3A0DB5 for <dnsop@ietf.org>; Thu, 11 Jun 2020 11:48:33 -0700 (PDT)
Received: by mail-wm1-x32e.google.com with SMTP id l17so5908751wmj.0 for <dnsop@ietf.org>; Thu, 11 Jun 2020 11:48:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qAfEq5qW840YpDGFRMVcBrscrGGSa3XpGj0nh+qcotw=; b=XCXLRmrW3E721+nHhFOPVyFKLusNcAYnZzPN1vWQxg+56mAGNeRwxhuan2ANRtn9OO Cc/dVeH27lVihFx/lO5SDbxM7SlDUUZ09BtPgsyFFmOMdMdnkdMZjKuwT50BQCYzof/T TJV+UGiVzlvbSUSIDgTlxJ1jmzlAXCzU+lqS836qhIMcXKB61BpLq3DZWEwYMeTTGvCm LkaLgUObU37ZxtqzZhOohLcHyL1sRKyN7Immk3+t68vreVpl9kxqevkCcjmPlxSR3S+U Ys2sfIcaCKSUN/2kaRok2Sum6dvhlYJWXYGDzR5Z7JvcJyqX+1U9Q5hN619iOA/+0+n4 euTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qAfEq5qW840YpDGFRMVcBrscrGGSa3XpGj0nh+qcotw=; b=KOjBButOpjT3EA8RzaprObjRb1wPbwBFHhWlToUG81NJkVNyK5z+90O1wiFwU8DPS1 /pj6XnyacmcB+GJ+2jOFIgrNEm7+3y3qvporRGE7dCFljd2HqGD+Huwc3Lp3gh9oao6O M8nrXrlFgDvLKHIrdUZscu4SjuVRcUP/DAyxOt5a+eYOB7uYhkkjas8CUqc9YEI87nqf TArrwWRvpMTmeuskLvtLeVI0sXreRMLP6S4HwsAOsbFndm+rXEeOUGS9N3Rp4ok3Q8Mu VV/AfPyQeuiakwYo8Of1VR6FiHlag9TK0PB6Vsg6qgQYIovv8PB8MMSXAk9Ln+yWrXy0 SyTA==
X-Gm-Message-State: AOAM531mI9O+YMDS0yUUZkMYd0UemKYLMryaNYEy7ozUnReGEMGGnvyG HIXgBy0MgOy1iB0bzQNjTmlE3iH2S+N0z9QP7s5A0A5UPGqJ6Q==
X-Google-Smtp-Source: ABdhPJzCImuq/bovKVHMP66rTDGnXJejNzHM1exhrim1ha/yyRK7e2cNQZr9wK3urb6K98Ea1z1P7YSgthx0knhGdIU=
X-Received: by 2002:a05:600c:2147:: with SMTP id v7mr9413650wml.101.1591901311290; Thu, 11 Jun 2020 11:48:31 -0700 (PDT)
MIME-Version: 1.0
References: <20200417101932.GA2035@wakko.flat11.house> <CAMOjQcF10Ceh=O1-s58Kw_j_hekbCnfmQ9sMZGZiwvhDdbg2bA@mail.gmail.com> <CAHbrMsBCeg+3wDcbAJk=KZC1y0RPtLjznst2NVSDJQVSRL84XA@mail.gmail.com> <CAMOjQcHTgsJo4-9O=uZF9PTOGHz0s7BFmOBuCn4nStQ+6YnW1Q@mail.gmail.com> <CAHbrMsDTBDuuO27mS9KbeHC042incgPbtozHZZ7tx=X2o6=RiA@mail.gmail.com> <20200610224455.GA44302@sokka.flat11.house> <5833E55F-A483-4781-BF51-DDDE95FB0677@isc.org> <20200611133028.GA30562@wakko.flat11.house>
In-Reply-To: <20200611133028.GA30562@wakko.flat11.house>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 11 Jun 2020 14:48:19 -0400
Message-ID: <CAHbrMsAUNCaftTjKhiVgenKd_PXtm1=XKowWVvzJgLWTRXKTkg@mail.gmail.com>
To: Alessandro Ghedini <alessandro@ghedini.me>
Cc: Mark Andrews <marka@isc.org>, dnsop <dnsop@ietf.org>, Eric Orth <ericorth=40google.com@dmarc.ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000036a97805a7d368ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OEbYg3wsukx8HgGxyAgK0V035h0>
Subject: Re: [DNSOP] Comments on draft-ietf-dnsop-svcb-httpssvc-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2020 18:48:35 -0000

On Thu, Jun 11, 2020 at 9:30 AM Alessandro Ghedini <alessandro@ghedini.me>
wrote:

>
> > Well firstly if you are going to be using providers, use their domain
> names in
> > the HTTPSSVC records.  The above configuration is more for self hosting.
>
> So, the domain name is always www.example.net for all providers, are you
> saying
> that instead of "HTTPSSVC 1 . ..." it should be "HTTPSSVC 1
> www.example.net ..."?
>

No, the correct configuration is the one you wrote at the start of this
thread, back in April:

    www.example.net <http://www.xample.net/>      3600 IN CNAME
cname.cdn-a.example
    cname.cdn-a.example 3600 IN HTTPSSVC 1 . alpn=h3 echconfig="..."

Here, "." means "cname.cdn-a.example.", so the ECHConfig will be bound to
the A/AAAA for that domain.  To switch providers, www.example.net would
just update its CNAME, and clients will seamlessly transition as caches
update.

> So, what am I missing here?

I think the key point here is that skipping the CNAME is a bad idea, for
exactly the reason you described.

If the customer really wants to skip the CNAME for some reason, it can do

    www.example.net      3600 IN HTTPSSVC 1 cname.cdn-a.example alpn=h3
echconfig="..."

If it also feels the need to short-circuit the A/AAAA lookups, it can add
IP hints here.  With or without IP hints, this is more fragile than a CNAME
if the CDN changes its configuration, but it won't break, or prevent
switching CDNs, so long as it's kept up to date.

v2.23.0 | Report a Bug | By Email