IETF Logo Mail Archive

Re: [DNSOP] [Ext] Questions / concerns with draft-ietf-dnsop-svcb-https (in RFC Editor queue)

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 29 August 2022 17:44 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD32AC180A8E for <dnsop@ietfa.amsl.com>; Mon, 29 Aug 2022 10:44:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iEXDI6bfqQHx for <dnsop@ietfa.amsl.com>; Mon, 29 Aug 2022 10:44:55 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47CEEC180A8D for <dnsop@ietf.org>; Mon, 29 Aug 2022 10:44:53 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 65DEB103239; Mon, 29 Aug 2022 13:44:52 -0400 (EDT)
Date: Mon, 29 Aug 2022 13:44:52 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <Ywz7FFmuCQCbnIWe@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
References: <YwaQrnoA3hifxCQW@straasha.imrryr.org> <CAMOjQcEcKQSWvb_LqmfkGwZ2dt_561jLZxHTMuMO0pMy2s9mbw@mail.gmail.com> <CAH1iCirnWdDY0p2-grQKN3PQWOM=JLevxbNskFFEzGwHvisGZA@mail.gmail.com> <B024358C-77FD-4E63-8E18-1CBCEA6C6B14@icann.org> <CAH1iCiry3VDS+dM+wEkPH5a_TSt5pEddxPjKOhL9_M20e_dR0A@mail.gmail.com> <8B970775-22CF-403B-9B8A-84DCC0932D76@icann.org> <CAHbrMsC_RO1J6qp_yOWOc3P4zpZ-cOCB6adXRwjoSQP7_yrWug@mail.gmail.com> <CAH1iCiqzeZORDmbE+XMs1wt6YZKYFZWnsnrvN8fbLHpFXEfDfw@mail.gmail.com> <CAHbrMsDSbDapPFFfhU1iyi5BpEjb8NA7WXz+1pu78dGnuVkNzg@mail.gmail.com> <CAKC-DJhWGMxJSS4Ztz=hVvjV-DF63+H_2yKGM8LTVnAxBpzmYQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAKC-DJhWGMxJSS4Ztz=hVvjV-DF63+H_2yKGM8LTVnAxBpzmYQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Qa7-V27pzndXADZW07EbKefYyT4>
Subject: Re: [DNSOP] [Ext] Questions / concerns with draft-ietf-dnsop-svcb-https (in RFC Editor queue)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2022 17:44:57 -0000

On Mon, Aug 29, 2022 at 12:33:55PM -0400, Erik Nygren wrote:

> On paths forward on the draft as it stands to clarify without making
> significant technical changes (which I don't think are necessary):
> 
> * Are there particular clarifications we can/should add to help make
> the current behavior more clear to readers?  For example, would having
> some examples of the failure cases (without changing the semantics)
> help?  Note that since the fallback behavior is a SHOULD not a MUST
> for clients, it can't necessarily be relied upon.


Likely so, especially to illustrate:

    * SVCB/HTTPS lookup failure in the initial SVCB query (i.e. not NOERROR/NODATA
      or NXDOMAIN).

    * SVCB/HTTPS lookup failure after some non-zero number of AliasMode records
      that result in a new target $QNAME.

    * A/AAAA lookup failure of the "final" target name (does this lookup still
      happen if SVCB/HTTPS lookup fails after a non-zero number of
      AliasMode records are processed?)

    * Connection failure to some or all of the targets/ports resolved via SVCB/HTTPS
      records (should/may happy eyeballs probe the resolved SVCB/HTTPS
      targets in parallel with the fallback original name or $QNAME
      fallback?)

Clarify which $QNAME is appended to the target list as a fallback.


> * This might be too much of a technical change at this point,
>   but would it make sense to change the SHOULD to a MAY on client
>   fallback behavior?  Clients implementations may choose to ignore the
>   SHOULD so this doesn't change the contract.

Given the stated permissive stance (to quote Paul Vixie from another
forum/thread: browsers gonna browse), perhaps "MAY" is more appropriate.

> * For the rfc1123 section 2 topic, it may make sense to clarify the text
>  to say "domain name" rather than "hostname":
>
>    > An "alternative endpoint" is a hostname, port number, and other
>    > associated instructions to the client on how to reach an instance
>    > of service.
>
>   Everywhere else in the normative sections such as 1.2 and 2.1 we say
>   that the TargetName is a "domain name" (aligned with the
>   clarification in rfc8499 on the difference between host and domain
>   names).
>
> On the rfc1123s2 front. a corner-case that might be encountered is
> that Proxies might be confused by "When connecting using a SVCB
> record, clients MUST provide the final TargetName and port to the
> proxy" in the case where proxies don't expect a domain name (eg, with
> an underscore prefix).  I don't know if there is any warning we should
> provide about this corner-case, or cover that in the future if it
> turns out to be a problem?

Just saying that it is a domain name does not fundamentally address the
issue, since the draft (almost RFC) in multiple places suggests that
even domain names adorned with attrleaf prefixes are potential owner
names of A/AAAA records, which runs into conflict with 1123 (and as
you note potential issues with proxies, or other software that expects
"hostnames" as valid names for A/AAAA records).

> For the future, there are subsequent drafts that could be introduced:
> 
> * We could add an optional "nofallback" SvcParam to AliasMode as Brian
> suggests, but in a future draft. (This would be the first SvcParam on
> AliasMode, but they are allowed and introducing them might help
> prevent ossification of this extension point.)

Sounds reasonable.

> * Introducing an optional "Alt-Used" equivalent (eg, "Service-Used")
>   that provides information about the SVCB/HTTPS RR path followed
>   would be very useful to service operators.  We got stuck on not
>   finding the right content vs privacy balance here, and experience
>   with Alt-Used is that not all clients will implement it regardless.
>   But if we had this and got enough clients to implement then it could
>   help address some of Brian's concerns about getting better
>   visibility in the fallback case.  (eg, "Service-Used: type=fallback"
>   as an HTTP header)

An interesting idea.  Certainly such signals can be helpful to operators
to detect problems and/or guage when infrastructure changes become
viable.

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email