IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-https-02.txt

"libor.peltan" <libor.peltan@nic.cz> Wed, 30 December 2020 09:39 UTC

Return-Path: <libor.peltan@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 376FA3A07F5 for <dnsop@ietfa.amsl.com>; Wed, 30 Dec 2020 01:39:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pamMuwZZ85Wh for <dnsop@ietfa.amsl.com>; Wed, 30 Dec 2020 01:39:13 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5809D3A07F4 for <dnsop@ietf.org>; Wed, 30 Dec 2020 01:39:12 -0800 (PST)
Received: from [192.168.0.105] (mem-185.47.220.208.jmnet.cz [185.47.220.208]) by mail.nic.cz (Postfix) with ESMTPSA id BA101140A69; Wed, 30 Dec 2020 10:39:09 +0100 (CET)
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, dnsop <dnsop@ietf.org>
References: <160435342340.5690.11246183519764836508@ietfa.amsl.com> <CAHbrMsCfxhv_fiSMuZNb+Rx=p_oa-Z682sAj8D4y7YkAf0=Lgg@mail.gmail.com>
From: "libor.peltan" <libor.peltan@nic.cz>
Message-ID: <500fe764-612b-a7d6-3d2c-efbf02d1b75c@nic.cz>
Date: Wed, 30 Dec 2020 10:39:09 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <CAHbrMsCfxhv_fiSMuZNb+Rx=p_oa-Z682sAj8D4y7YkAf0=Lgg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------467D093F9152CB18A35AC391"
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.102.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/X2ufN08r2SYtt7Dn8aY5WkNbeUM>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-https-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Dec 2020 09:39:16 -0000

Hi Ben, all,
i'd like to ask for some clarification of expected Authoritative server 
behaviour around Alias SVCB records:

1) when there are multiple Alias SVCB records for an owner name, should 
the Authoritative server put targeted records into Additionals for all 
of them, or just pick one?
(Section 4.1 says "authoritative DNS servers SHOULD return A, AAAA, and 
SVCB records in the Additional Section for any in-bailiwick 
TargetNames", but section 2.4.2 will render it useless with "If multiple 
are present, clients or recursive resolvers SHOULD pick one at random." 
Which means, half (or most) of the additionals will get thrown away.)

2) When the TargetName points to an in-bailiwick CNAME, should the 
autoritative server populate the CNAME chain inside the Additional 
section? It seems to me (fortunately :) ), that following such CNAME is 
only required for Recursive resolvers, however e.g. this zone will thus 
need three upstream queries to fetch it all:
foo 3600 IN SVCB 0 bar
bar 3600 IN CNAME baz
baz 3600 IN SVCB 0 . alpn=...
baz 3600 IN AAAA 1::2

Thanks for your answers,
Libor

PS: is this e-mail thread the right place to ask for details 
clarification around SVCB features?

Dne 16. 11. 20 v 7:43 Ben Schwartz napsal(a):
> For those who haven't looked at the diff, here are the changes since -01
>       *  Added a Privacy Considerations section
>       *  Adjusted resolution fallback description
>       *  Clarified status of SvcParams in AliasMode
>       *  Improved advice on zone structuring and use with Alt-Svc
>       *  Improved examples, including a new Multi-CDN example
>       *  Reorganized text on value-list parsing and SvcPriority
>       *  Improved phrasing and other editorial improvements throughout
>
> Notably, the normative changes are extremely limited compared to the 
> previous draft.  This reflects the authors' view that this draft is 
> stabilizing and should be ready for WGLC soon.
>
> Perhaps more important than the changes that were made are the changes 
> that were discussed but have not been made:
> * We had an extensive discussion regarding the meaning of TargetName = 
> ".", which is currently shorthand for the owner name.  Some suggested 
> augmenting this to mean "owner name minus underscore prefix labels", 
> and others suggested removing this special-case entirely.  
> (https://github.com/MikeBishop/dns-alt-svc/issues/252 
> <https://github.com/MikeBishop/dns-alt-svc/issues/252>)
> * We received a suggestion to ban fallback to non-SVCB connection 
> establishment (https://github.com/MikeBishop/dns-alt-svc/issues/256 
> <https://github.com/MikeBishop/dns-alt-svc/issues/256>). (We clarified 
> the fallback text but did not change the recommendation.)
> * The escaping of ALPNs that contain commas continues to be 
> contentious.  We received a suggestion to remove support for such 
> ALPNs (https://github.com/MikeBishop/dns-alt-svc/issues/268 
> <https://github.com/MikeBishop/dns-alt-svc/issues/268>).
>
> In each case, we think that the draft's current text still reflects 
> the group's consensus and strikes the right balance. If you disagree, 
> please open a thread on the dnsop list and we will discuss it.
>
> We have one open issue that seems likely to result in a text change 
> (https://github.com/MikeBishop/dns-alt-svc/issues/87 
> <https://github.com/MikeBishop/dns-alt-svc/issues/87>). This is a fine 
> point regarding the HTTPS user experience if TLS fails, and we are 
> soliciting input from experts on those topics.
>
> On Mon, Nov 2, 2020 at 4:44 PM <internet-drafts@ietf.org 
> <mailto:internet-drafts@ietf.org>> wrote:
>
>
>     A New Internet-Draft is available from the on-line Internet-Drafts
>     directories.
>     This draft is a work item of the Domain Name System Operations WG
>     of the IETF.
>
>             Title           : Service binding and parameter
>     specification via the DNS (DNS SVCB and HTTPS RRs)
>             Authors         : Ben Schwartz
>                               Mike Bishop
>                               Erik Nygren
>             Filename        : draft-ietf-dnsop-svcb-https-02.txt
>             Pages           : 45
>             Date            : 2020-11-02
>
>     Abstract:
>        This document specifies the "SVCB" and "HTTPS" DNS resource record
>        (RR) types to facilitate the lookup of information needed to make
>        connections to network services, such as for HTTPS origins.  SVCB
>        records allow a service to be provided from multiple alternative
>        endpoints, each with associated parameters (such as transport
>        protocol configuration and keys for encrypting the TLS
>     ClientHello).
>        They also enable aliasing of apex domains, which is not
>     possible with
>        CNAME.  The HTTPS RR is a variation of SVCB for HTTPS and HTTP
>        origins.  By providing more information to the client before it
>        attempts to establish a connection, these records offer potential
>        benefits to both performance and privacy.
>
>        TO BE REMOVED: This document is being collaborated on in Github at:
>     https://github.com/MikeBishop/dns-alt-svc
>     <https://github.com/MikeBishop/dns-alt-svc> [1].  The most recent
>        working version of the document, open issues, etc. should all be
>        available there.  The authors (gratefully) accept pull requests.
>
>
>     The IETF datatracker status page for this draft is:
>     https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/
>     <https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/>
>
>     There are also htmlized versions available at:
>     https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https-02
>     <https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https-02>
>     https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-02
>     <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-02>
>
>     A diff from the previous version is available at:
>     https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-svcb-https-02
>     <https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-svcb-https-02>
>
>
>     Please note that it may take a couple of minutes from the time of
>     submission
>     until the htmlized version and diff are available at
>     tools.ietf.org <http://tools.ietf.org>.
>
>     Internet-Drafts are also available by anonymous FTP at:
>     ftp://ftp.ietf.org/internet-drafts/
>     <ftp://ftp.ietf.org/internet-drafts/>
>
>
>     _______________________________________________
>     DNSOP mailing list
>     DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>     https://www.ietf.org/mailman/listinfo/dnsop
>     <https://www.ietf.org/mailman/listinfo/dnsop>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email