IETF Logo Mail Archive

Re: [DNSOP] [Ext] Questions / concerns with draft-ietf-dnsop-svcb-https (in RFC Editor queue)

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 25 August 2022 19:52 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 460F8C1522AD for <dnsop@ietfa.amsl.com>; Thu, 25 Aug 2022 12:52:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id usuBs0dZynXX for <dnsop@ietfa.amsl.com>; Thu, 25 Aug 2022 12:52:45 -0700 (PDT)
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0DFCC14CE3A for <dnsop@ietf.org>; Thu, 25 Aug 2022 12:52:45 -0700 (PDT)
Received: by mail-pj1-x1034.google.com with SMTP id hf17so2694679pjb.3 for <dnsop@ietf.org>; Thu, 25 Aug 2022 12:52:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=x7vexKjA1dSC8Eh7YXjYwy1IQ1dTLPoS2dvG/NLT624=; b=gTSGoleWY2vW/xnDq4O6s9ecBGn5bjObtxXhxS2M1j1PyiB7H0I5DQjiVmN7fGvk1x 2b22ctXyeIBf91tR1bFaEYzVHuvMBxQi4sciod8Bd7xl1F45iMSH49Bbj/QZsl5IMyse tUOGsIuqaCiGwtdrcxi3qOj9fkyaf0L305T2AXhoPR1r/q2h/IsLuPZivv/VfPoAU7FC YGJj0kjpFmj9YXdqf2y6GsWfJaOcwFXvtCXrbsEZn4ZmRicrS+KV7Aehmhy0TbWjjveA cpA+NOz2AVmAa1BL8zjvtB6/3LeFpVIFocGhNKkmY9x56jQdwH7t7RSGy9+ksdWIceX8 rX8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=x7vexKjA1dSC8Eh7YXjYwy1IQ1dTLPoS2dvG/NLT624=; b=k9O3/vu7QahXIfO/fiTw9jgcPxkxD6JJo93ITmP5giO0QXZS1XsekGygmtLCHCH9nr dfIAwQ8rkBPhyvrD+HG6bUL5VNbF00GrmlNc8zeBBoU6NH2EiY491PGO9YqNLB5TaHwy cNyIbV3ZdwKkwS/X0jSMj9fiNQdASPmB0bZqy/fUbKA0DyK/OPfouBYidrjLhyFH/qva vhqh+tSpbPsGUHGUEKldzgpAjTiIvoFnsUXB8gi+oUynaQB0rhjxzFTQsUn63QvPJJLZ OiveDCzXlAvs9lBaQP7g7TTHmeWoIFagS6io6jzza7NFk5MZOy/CvrXlcao+AybphEI6 Q5EA==
X-Gm-Message-State: ACgBeo2osmjZCrgGPsm85ZwKHDpN9tqjSQWmSmhRfU4bvbnpYpyUpzQO 6sn1k1zeWzVEjq94DEp+d5o703YnrQmExmM93O+1QQS5kP0=
X-Google-Smtp-Source: AA6agR7rRDN3lLncXcfq5+eJ7A0PxZyfJsMV6rYAUE06eiLW6JQ3h5gWP3Yigv12Zp5IV24AUxw+wgICQyahW3w5hbQ=
X-Received: by 2002:a17:90a:c395:b0:1fa:b411:805a with SMTP id h21-20020a17090ac39500b001fab411805amr675594pjt.74.1661457165149; Thu, 25 Aug 2022 12:52:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAHw9_iKZJndu1100LBU3TiuhF9ACb0As2deA1oZWD2eA46tBbA@mail.gmail.com> <CAH1iCiqryY=u6MN2mkf7krHLmc7TQkoDaXe0k=ZZ+0e9uiMb-Q@mail.gmail.com> <YwaQrnoA3hifxCQW@straasha.imrryr.org> <CAMOjQcEcKQSWvb_LqmfkGwZ2dt_561jLZxHTMuMO0pMy2s9mbw@mail.gmail.com> <CAH1iCirnWdDY0p2-grQKN3PQWOM=JLevxbNskFFEzGwHvisGZA@mail.gmail.com> <B024358C-77FD-4E63-8E18-1CBCEA6C6B14@icann.org> <CAH1iCiry3VDS+dM+wEkPH5a_TSt5pEddxPjKOhL9_M20e_dR0A@mail.gmail.com> <8B970775-22CF-403B-9B8A-84DCC0932D76@icann.org>
In-Reply-To: <8B970775-22CF-403B-9B8A-84DCC0932D76@icann.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Thu, 25 Aug 2022 12:52:34 -0700
Message-ID: <CAH1iCiq6jWarZ3XgsQ5K5_9L+3q=mg-4qqOf+Y4xjVz5TMnz1g@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000236cf005e7162450"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SfRm28ZyXrkuQYMvq8t2ZYH9Dl8>
Subject: Re: [DNSOP] [Ext] Questions / concerns with draft-ietf-dnsop-svcb-https (in RFC Editor queue)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2022 19:52:46 -0000

On Thu, Aug 25, 2022 at 7:58 AM Paul Hoffman <paul.hoffman@icann.org> wrote:

> On Aug 24, 2022, at 7:14 PM, Brian Dickson <brian.peter.dickson@gmail.com>
> wrote:
>
> >> Are you saying that it was explicit after WG Last Call but changed? Or
> during IETF Last Call and was changed?
> >>
> > No, I'm saying that, as far as I can tell, the flow was never explicit,
> and that's a big part of the problem.
> >
> > And I'm saying that if it had been explicit, the concerns would have
> been raised at that time, rather than now.
>
> This WG has dealt with that exact issue many times with well-debated -bis
> documents.
>
> When Warren started this thread, he said "this is *not*  an opportunity to
> re-litigate existing  decisions, make non-required changes, etc." AliasMode
> was significantly discussed during the preparation of the document, and it
> appears that you don't like the conclusion. That's fine, but that's not a
> reason to change this document: it is a reason to create either a document
> that clarifies or updates it.
>
>
Warren also stated "I'd like to also thank the authors and WG in advance
for their time and for keeping this discussion focused".  I interpret that
as, "let's discuss the technical content of the draft."

To that end:
The issue I raised was with the process flow for the client, in section 3,
not the AliasMode section (2.4.2).
In the summary portion of my original email, I put it thusly:

   - Resurrecting ANAME behavior in corner cases is every bit as bad as
   choosing ANAME as the standard.

I.e. I am saying that, under certain conditions (either DNS resolution
problems, or HTTPS connection problems, after successfully resolving a
single AliasMode HTTPS record, and if there exists apex A/AAAA records
[0]), that the prescribed behavior reverts to that of ANAME.
My assertion is that the ANAME behavior is "OMG! That clearly doesn't
work". [1]

My question to anyone responding who disagrees with this assessment is:
Which is it?

   - Is the behavior (in the corner cases) not ANAME-like (requiring that
   apex A/AAAA records have the same values as would be resolved when
   following the HTTPS Alias)?
   - Or, "No, it always works" (even in those corner cases)?
   - Or, "The corner case ANAME behavior exists, but is not a big enough
   deal to make changes before publication."

*Having the opinion that "The corner case ANAME behavior exists, but is not
a big enough deal to make changes before publication", is a valid position.*
I would prefer that this *exact* language be used, if this is the position
being taken by anyone, please.
(E.g. Paul H, is this an accurate characterization of your position?)

BTW: the fall-back corner case is only indirectly related to AliasMode, and
is not related to any of the discussions on AliasMode that occurred, to the
best of my knowledge.
(I'd be happy to be corrected with any single pointer to an on-list thread,
if I'm wrong).

I am not proposing changes to AliasMode itself, nor do I have problems with
the current state of 2.4.2 (other than ambiguous language.)

The problematic bit from 2.4.2 was specifically:

   - The conflation is between "legacy clients", and "preferable for
   clients implementing the specification".
   - Legacy support is not "fallback", which is where the conflation is
   introduced.
   - If non-legacy fallback is a required element to advance the draft,
   let's update the draft accordingly
      - Including establishing a new owner label prefix for fallback
      records, distinct from legacy records, which by definition CANNOT have a
      different name than the origin (apex) name.
      - The conflation is IMHO browsers attempting to infer the intent of
      zone owners, rather than having zone owners explicitly publish
appropriate
      records to that effect (fallback target addresses).

Note also that 2.4.2 only defines AliasMode (what it is, how it is meant to
be used, rules about what the publisher should put in AliasMode records,
and the paragraph about "legacy clients" is not part of, nor is it
subsequently either incorporated by reference, restated, or directly
included in section 3 on Client behavior. (The only other place "legacy" is
referenced is in Appendix C, comparing the draft to the ANAME and HTTP
proposals that predate this draft.)

NB: Viktor Dukhovni had a laser-focused contribution to the discussion (on
Wed, Aug 24, 1:58 PM), which I believe does a much better job of
articulating the issue than my original message did. (Thanks, Viktor).
I would strongly suggest reading his message and replying/commenting there.

Brian

[0] Apex A/AAAA records may exist for purposes other than publishing the
site whose delegation is performed via HTTPS record, including SMTP or
other non-web services, or for providing legacy clients with instructions
on obtaining HTTPS-aware clients.
[1] See the extensive WG ANAME discussions for why ANAME doesn't work
for everyone. AliasMode *does* work for everyone. Resurrecting the
ANAME behavior alongside AliasMode, is snatching defeat from the jaws of
victory.

v2.23.0 | Report a Bug | By Email