Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
Mark Andrews <marka@isc.org> Thu, 23 July 2020 01:05 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEE2D3A0ACC for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 18:05:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cNAlgg6dqcSA for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 18:05:31 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 663CA3A0ACB for <dnsop@ietf.org>; Wed, 22 Jul 2020 18:05:31 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 271843AB002; Thu, 23 Jul 2020 01:05:31 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id B5248160051; Thu, 23 Jul 2020 00:59:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A4ED7160069; Thu, 23 Jul 2020 00:59:15 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 3hg3ISQeX0SX; Thu, 23 Jul 2020 00:59:15 +0000 (UTC)
Received: from [172.30.42.68] (unknown [49.2.101.160]) by zmx1.isc.org (Postfix) with ESMTPSA id B13A6160051; Thu, 23 Jul 2020 00:59:14 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.6\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <9975DA88-525A-4FC3-9517-70E128A4776D@akamai.com>
Date: Thu, 23 Jul 2020 10:59:10 +1000
Cc: Alessandro Ghedini <alessandro@ghedini.me>, "dnsop@ietf.org" <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <5AFA6F2F-0BEB-4BFC-A792-E542A0733875@isc.org>
References: <20200716151356.GA60024@wakko.flat11.house> <9975DA88-525A-4FC3-9517-70E128A4776D@akamai.com>
To: "Wellington, Brian" <bwelling=40akamai.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.9.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XwogIqbHil54uG-rvRiycXGRBXQ>
Subject: Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 01:05:33 -0000
> On 23 Jul 2020, at 10:46, Wellington, Brian <bwelling=40akamai.com@dmarc.ietf.org> wrote: > > I attempted to start implementing support for SVCB and HTTPS, and discovered that the data being served by Cloudflare does not conform to the current spec. > > Assuming my decoder is correct, the response below decodes to: > > 1 . alpn=h3-29,h3-28,h3-27,h2 echconfig=aBIaLmgSGy4= ipv6hint=2606:4700::6812:1a2e,2606:4700::6812:1b2e > > and does not include a “mandatory” parameter. But section 6.5 of draft-ietf-dnsop-svcb-https, which is talking about the “mandatory” key, says: > > This SvcParamKey is always automatically mandatory, > > which implies that there MUST be a “mandatory” parameter. Is this an oversight in the Cloudflare implementation, or is the Cloudflare implementation not implementing the current version? Please read the entire sentence. "This SvcParamKey is always automatically mandatory, and MUST NOT appear in its own value list.” It’s saying if “mandatory" is there you must process the record as if it starts with “mandatory=mandatory,” but the value of 0 MUST NOT be included in the list. > Thanks, > Brian > >> On Jul 16, 2020, at 8:13 AM, Alessandro Ghedini <alessandro@ghedini.me> wrote: >> >> Hello, >> >> Just a quick note that we have started serving "HTTPS" DNS records from >> Cloudflare's authoritative DNS servers. Our main use-case right now is >> advertising HTTP/3 support for those customers that enabled that feature (in >> addition to using Alt-Svc HTTP headers). >> >> If anyone is interested in trying this out you can query pretty much all domains >> served by Cloudflare DNS for which we terminate HTTP. >> >> For example: >> >> % dig blog.cloudflare.com type65 >> >> ; <<>> DiG 9.16.4-Debian <<>> blog.cloudflare.com type65 >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17291 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;blog.cloudflare.com. IN TYPE65 >> >> ;; ANSWER SECTION: >> blog.cloudflare.com. 300 IN TYPE65 \# 76 000100000100150568332D32390568332D32380568332D3237026832 0004000868121A2E68121B2E00060020260647000000000000000000 68121A2E26064700000000000000000068121B2E >> >> Cheers >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=Ei0lUqjTt2OhRnRqJeO1XDCHQqnH1FdINDMcPEhCC1g&s=WQn55KFIZ5LGfsj-QGNSS31WGhpI-GuXpJEmhibwNuo&e= > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Tim Wicinski
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Wellington, Brian
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Tommy Pauly
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Wellington, Brian
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Tim Wicinski
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Ben Schwartz
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Wellington, Brian
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Wellington, Brian
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Petr Špaček
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Dick Franks
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Brian Dickson
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Jared Mauch
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Ben Schwartz
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Ben Schwartz
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews