IETF Logo Mail Archive

Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS

"Wellington, Brian" <bwelling@akamai.com> Thu, 23 July 2020 01:19 UTC

Return-Path: <bwelling@akamai.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DF583A08FD for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 18:19:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S1Kn-c4w9vuh for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 18:19:56 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89D183A07A5 for <dnsop@ietf.org>; Wed, 22 Jul 2020 18:19:56 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id 06N1J3p0017208; Thu, 23 Jul 2020 02:19:52 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=OLWl5EKVaBUxfhT6oQpLw/Tq8qYfWbVbbiXTEaDeY5o=; b=JhrRu6Q+qpmXitn0jsMDscLj9EnckawTinNqQURswdDcoMw5U1/zrhfs2rNt3an/kcsc HOO/U7wgxOsQclXJiXgo4sKtHqKhiAlmWEQGD4jVJd38wX0xsgEJQVsLNqNLHN28TvTJ r8umajiBJPFrMg/GTpEuTq9GU384gmtAzVty893yIsmkg4mvCfTTAnjQjCB9MHJwGvMu Pk6DnGMO04OEindKA+1IvJyZE3ar250evHieuB5YIEe3N7YrRQ/jVIHrdBZfqzRQM6O+ t7BjEuSy6fcMP9f1I2AlNq+DBKVtGKb3/pi9Hik9AyIEw8vojerjZSb5f1JhQNgILz7o nA==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19] (may be forged)) by m0050093.ppops.net-00190b01. with ESMTP id 32dfjmfvpm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 23 Jul 2020 02:19:51 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.42/8.16.0.42) with SMTP id 06N1Gcn5006471; Wed, 22 Jul 2020 21:19:50 -0400
Received: from email.msg.corp.akamai.com ([172.27.165.113]) by prod-mail-ppoint2.akamai.com with ESMTP id 32dmj2dkyx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 22 Jul 2020 21:19:50 -0400
Received: from USTX2EX-DAG3MB4.msg.corp.akamai.com (172.27.165.128) by USTX2EX-DAG3MB6.msg.corp.akamai.com (172.27.165.130) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 22 Jul 2020 20:19:49 -0500
Received: from USTX2EX-DAG3MB4.msg.corp.akamai.com ([172.27.165.128]) by USTX2EX-DAG3MB4.msg.corp.akamai.com ([172.27.165.128]) with mapi id 15.00.1497.006; Wed, 22 Jul 2020 18:19:49 -0700
From: "Wellington, Brian" <bwelling@akamai.com>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
CC: Alessandro Ghedini <alessandro@ghedini.me>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] HTTPS/SVCB on Cloudflare DNS
Thread-Index: AQHWW4PWcUUw0WiB6UOTHRJ1hpuRRakU08oAgAACt4CAAAaGAA==
Date: Thu, 23 Jul 2020 01:19:48 +0000
Message-ID: <E5679D36-1C01-4534-BDFA-836B1FD5A33D@akamai.com>
References: <20200716151356.GA60024@wakko.flat11.house> <9975DA88-525A-4FC3-9517-70E128A4776D@akamai.com> <099D8D6A-FBBD-4A5A-B1A9-C67CF83DD3DF@apple.com>
In-Reply-To: <099D8D6A-FBBD-4A5A-B1A9-C67CF83DD3DF@apple.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.116.61]
Content-Type: multipart/alternative; boundary="_000_E5679D361C014534BDFA836B1FD5A33Dakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-22_17:2020-07-22, 2020-07-22 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 malwarescore=0 mlxscore=0 suspectscore=0 phishscore=0 spamscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007230005
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-22_17:2020-07-22, 2020-07-22 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 impostorscore=0 lowpriorityscore=0 clxscore=1011 mlxlogscore=999 suspectscore=0 malwarescore=0 phishscore=0 spamscore=0 priorityscore=1501 mlxscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007230008
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Yz99T1u2aqyBv8l-iwa3VGXRCDI>
Subject: Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 01:19:58 -0000

ok.  So, what this means is that keys listed in the “mandatory” parameter must be included as parameters, and are required to be understood by clients.  The set of “automatically mandatory” keys are required to be understood by clients, but are not required in the RR.

I’m a native English speaker, and have been working with DNS for over 20 years.  If I’m having trouble understanding this, perhaps the spec should be a bit clearer.

Brian

On Jul 22, 2020, at 5:56 PM, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org<mailto:tpauly=40apple.com@dmarc.ietf.org>> wrote:



On Jul 22, 2020, at 5:46 PM, Wellington, Brian <bwelling=40akamai.com@dmarc.ietf.org<mailto:bwelling=40akamai.com@dmarc.ietf.org>> wrote:

I attempted to start implementing support for SVCB and HTTPS, and discovered that the data being served by Cloudflare does not conform to the current spec.

Assuming my decoder is correct, the response below decodes to:

1 . alpn=h3-29,h3-28,h3-27,h2 echconfig=aBIaLmgSGy4= ipv6hint=2606:4700::6812:1a2e,2606:4700::6812:1b2e

and does not include a “mandatory” parameter.  But section 6.5 of draft-ietf-dnsop-svcb-https, which is talking about the “mandatory” key, says:

This SvcParamKey is always automatically mandatory,

which implies that there MUST be a “mandatory” parameter.  Is this an oversight in the Cloudflare implementation, or is the Cloudflare implementation not implementing the current version?

The Cloudflare record does conform correctly.

The “mandatory” key does NOT need to be included. "automatically mandatory” keys do not need to be included. Mandatory just indicates which non-automatically-mandatory keys included in the record are required to be understood by clients, or else clients should reject them.

Thanks,
Tommy


Thanks,
Brian

On Jul 16, 2020, at 8:13 AM, Alessandro Ghedini <alessandro@ghedini.me<mailto:alessandro@ghedini.me>> wrote:

Hello,

Just a quick note that we have started serving "HTTPS" DNS records from
Cloudflare's authoritative DNS servers. Our main use-case right now is
advertising HTTP/3 support for those customers that enabled that feature (in
addition to using Alt-Svc HTTP headers).

If anyone is interested in trying this out you can query pretty much all domains
served by Cloudflare DNS for which we terminate HTTP.

For example:

 % dig blog.cloudflare.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=> type65

; <<>> DiG 9.16.4-Debian <<>> blog.cloudflare.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=> type65
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17291
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;blog.cloudflare.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=>. IN TYPE65

;; ANSWER SECTION:
blog.cloudflare.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=>. 300 IN TYPE65 \# 76 000100000100150568332D32390568332D32380568332D3237026832 0004000868121A2E68121B2E00060020260647000000000000000000 68121A2E26064700000000000000000068121B2E

Cheers

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org<mailto:DNSOP@ietf.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf..org_mailman_listinfo_dnsop&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=Ei0lUqjTt2OhRnRqJeO1XDCHQqnH1FdINDMcPEhCC1g&s=WQn55KFIZ5LGfsj-QGNSS31WGhpI-GuXpJEmhibwNuo&e=<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=Ei0lUqjTt2OhRnRqJeO1XDCHQqnH1FdINDMcPEhCC1g&s=WQn55KFIZ5LGfsj-QGNSS31WGhpI-GuXpJEmhibwNuo&e=>

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org<mailto:DNSOP@ietf.org>
https://www.ietf.org/mailman/listinfo/dnsop<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=80-OG9hSCfXT4Zbc93tA5Bd0FdLj0hAknhjLjvAfDww&e=>

v2.23.0 | Report a Bug | By Email