[DNSOP] Comments on draft-ietf-dnsop-svcb-httpssvc-02

Alessandro Ghedini <alessandro@ghedini.me> Fri, 17 April 2020 10:19 UTC

Return-Path: <alessandro@ghedini.me>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 488CE3A078A for <dnsop@ietfa.amsl.com>; Fri, 17 Apr 2020 03:19:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ghedini.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l4oxhWz9cRoq for <dnsop@ietfa.amsl.com>; Fri, 17 Apr 2020 03:19:41 -0700 (PDT)
Received: from blastoise.ghedini.me (blastoise.ghedini.me [45.32.158.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3D9F3A0787 for <dnsop@ietf.org>; Fri, 17 Apr 2020 03:19:40 -0700 (PDT)
Received: from localhost (unknown [IPv6:2a02:8010:6241:1:c80b:b16e:4df5:334d]) by blastoise.ghedini.me (Postfix) with ESMTPSA id 879ABDF4B6 for <dnsop@ietf.org>; Fri, 17 Apr 2020 10:19:36 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ghedini.me; s=mail; t=1587118776; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=uuZsrQgFBE2id8mJDIlUPho2q3GDoGd1Td3UiaFhmmE=; b=OAy8dJVtfH1l4GDE6hrP2+wWXVEorMMzXI1CI0ayI4/UhOzO61MTqeoJNnehUUAgwMWqu1 0CKf1u13BgxCK8Hmo8zOP0HPDiosOjxhNk3Sso1P3y3+oOhwVcgIWxfPYZv2wM/JWfj1zx mRL3Y2xgIDBA+TPKE7TDRSGH01z9+Lo=
Date: Fri, 17 Apr 2020 11:19:32 +0100
From: Alessandro Ghedini <alessandro@ghedini.me>
To: dnsop@ietf.org
Message-ID: <20200417101932.GA2035@wakko.flat11.house>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OXZn-R24JnXR9EOyUqp-29kae4Y>
Subject: [DNSOP] Comments on draft-ietf-dnsop-svcb-httpssvc-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2020 10:19:43 -0000

Hello,

First off, I have started implementing support for SVCB and HTTPSSVC as part of
the dnspython library [0] and I'd be interested in doing some interop testing
with other people's implementations.

I also have a few comments/questions about the draft, apologies if they have
already been discussed in the past (haven't been following the draft from the
start).

1. For interop testing purposes it would be very helpful if the draft listed
commonly agreed upon code-points for the new RR types. Ideally in the form of an
official early assignment from IANA, but if that's not possible picking a couple
of codepoints at random from the "private use" range would also be helpful. In
my implementation I'm currently using "65481" for SVCB and "65482" for HTTPSSVC.

2. The structure of the draft is a bit odd, as it lists a bunch of examples
before introducing any of the records. This was a bit confusing to me, so I'd
suggest moving sections 1.5 and 1.6 _before_ the examples (that is, immediately
after the introduction). It might also be a good idea to just move the examples
to an Appendix instead.

3. Would it make sense to move the ESNI/ECHO config paramenter to the ESNI/ECHO
draft instead? This way the DNS draft wouldn't need to depend on the ESNI draft
(so e.g. if ESNI ends up taking longer, this draft could be published without
having to wait for it).

4. What is the point of differentiating between AliasForm and ServiceForm? Like,
couldn't the draft just say that the SvcFieldValue is an optional field and be
done with that? It seems like not having to explicitly differentiate the two
cases would simplify the draft a bit without sacrificing much, though I might
be missing something.

5. Section 2.1.1 says

   The presentation format for SvcFieldValue is a whitespace-separated
   list of elements representing a key-value pair, with an absent value
   or "=" indicating an empty value.

It took me longer than I'd like to admit to understand the "with an absent value
or "=" indicating an empty value" part. I'd suggest rewording that paragraph to
something like:

   The presentation format for SvcFieldValue is a whitespace-separated list of
   key=value pairs (e.g. "key123=value1 keys456=value2"). When the value, or
   both the value and the "=" are omitted, the value should be interpreted as
   being empty.

Or something better :)

6. In Section 2.2 it says (in reference to param field values):

   o  an octet string of the length defined by the previous field.

It might be good to say here that the format of this octet string is defined
according to the corresponding SvcParamKey, and then reference section 6 for
ths currently defined keys. The same applies for section 2.1.1 for the
presentation format.

7. Section 4.3 says:

   All DNS servers SHOULD treat the SvcParam portion of the SVCB RR...

Should it be SvcFieldValue instead of SvcParam? "SvcParam" is not mentioned
anywhere else.

8. Maybe I'm missing something, but the following sentence in Section 6.4 seems
wrong:

   When SvcDomainName is ".", server operators SHOULD NOT include these hints,
   because they are unlikely to convey any performance benefit.

My understanding is that ipv4hint and ipv6hint are the way to solve the ESNI
multi-CDN problem, so let's say I have "www.example.net" that CNAMEs to both
"cname.cdn-a.example" and "cname.cdn-b.example". A client queries both A and
HTTPSVC concurrently for "www.example.net", and receives two answers (the answer
to the A query points to CDN A, while the answer to HTTPSSVC points to CDN B):

    www.xample.net      3600 IN CNAME cname.cdn-a.example
    cname.cdn-a.example 3600 IN A 192.0.2.1

and

    www.xample.net      3600 IN CNAME cname.cdn-b.example
    cname.cdn-b.example 3600 IN HTTPSSVC 1 . alpn=h3 esniconfig="..."

My understanding is that in this case the client could end up connecting to
192.0.2.1 (CDN A) with CDN B's ESNI config (or e.g. with the wrong ALPN). So if
the server doesn't provide IP hints there would indeed be impact on performance
because the client would just straight up fail to connect initially (e.g. maybe
CDN A doesn't support HTTP/3, but CDN B's HTTPSSVC says the client can use it,
or just because of the wrong ESNI config).

Long story short, I don't think the text should discourage setting ipv4hint and
ipv6hint here. I get that it's SHOULD NOT and not MUST NOT, but it's pretty
confusing nevertheless.

9. Speaking of multi-CDN, AFAICT the problem is mentioned only once in the whole
draft and only in relation to ESNI. However this is not ESNI-specific and also
affects e.g. HTTP/3 as per the example above. So I think it would be useful to
go into a little more detail on this.

10. Section B.2: s/pther/other/

Cheers

[0] https://github.com/rthalley/dnspython/pull/452