IETF Logo Mail Archive

Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS

Mark Andrews <marka@isc.org> Thu, 23 July 2020 23:23 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80F2B3A0866 for <dnsop@ietfa.amsl.com>; Thu, 23 Jul 2020 16:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j9v0ZMkZ4607 for <dnsop@ietfa.amsl.com>; Thu, 23 Jul 2020 16:23:13 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 817CC3A0863 for <dnsop@ietf.org>; Thu, 23 Jul 2020 16:23:13 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 92D2E3AB007; Thu, 23 Jul 2020 23:23:11 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 8885D16006D; Thu, 23 Jul 2020 23:23:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 79C8516006C; Thu, 23 Jul 2020 23:23:11 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id hhAKG9oNhg8c; Thu, 23 Jul 2020 23:23:11 +0000 (UTC)
Received: from [172.30.42.68] (unknown [49.2.101.160]) by zmx1.isc.org (Postfix) with ESMTPSA id A9CDA160043; Thu, 23 Jul 2020 23:23:10 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.6\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <20200723164331.GA18990@wakko.flat11.house>
Date: Fri, 24 Jul 2020 09:23:06 +1000
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A6D1D6EA-7E5D-479E-8E4F-33F61A945521@isc.org>
References: <20200716151356.GA60024@wakko.flat11.house> <18174930-D601-462A-BB4E-E994DB2EB4B9@isc.org> <20200716172604.GA65961@wakko.flat11.house> <E80B5A6A-9EB1-497B-81C1-2FA67012FAD3@isc.org> <20200723095040.GA1524@wakko.flat11.house> <CB5C2443-3726-4D05-94F6-2C3563B4A175@isc.org> <20200723164331.GA18990@wakko.flat11.house>
To: Alessandro Ghedini <alessandro@ghedini.me>
X-Mailer: Apple Mail (2.3445.9.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZGLQprcIjVBtLQjtnOxyYcPSRgQ>
Subject: Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 23:23:16 -0000


> On 24 Jul 2020, at 02:43, Alessandro Ghedini <alessandro@ghedini.me> wrote:
> 
> On Fri, Jul 24, 2020 at 01:20:41AM +1000, Mark Andrews wrote:
>> 
>> 
>>> On 23 Jul 2020, at 19:50, Alessandro Ghedini <alessandro@ghedini.me> wrote:
>>> 
>>> On Fri, Jul 17, 2020 at 10:11:33AM +1000, Mark Andrews wrote:
>>>> 
>>>> 
>>>>> On 17 Jul 2020, at 03:26, Alessandro Ghedini <alessandro@ghedini.me> wrote:
>>>>> 
>>>>> On Fri, Jul 17, 2020 at 01:37:35AM +1000, Mark Andrews wrote:
>>>>>> Do you have a estimate on when you will enable additional section processing for these records?
>>>>> 
>>>>> Not sure I understand the question. Do you mean authoritative servers adding
>>>>> A/AAAA records to additional section of HTTPS responses?
>>>>> 
>>>>> Cheers
>>>> 
>>>> Yes.  At the moment there will be lots of redundant queries being made. A, AAAA
>>>> and HTTPS/SVBC for every level of the chain. If HTTPS/SVBC aware servers actually
>>>> return A and AAAA records for service form records, we can reduce the number of
>>>> queries that need to be made.
>>> 
>>> I did a little experiment (took me a few days to find the time) with a toy DNS
>>> server [0]. This is obviously not a proper authoritative server, it's just to
>>> illustrate the problem.
>>> 
>>> When I query the auth server directly I get the HTTPS response as well as the
>>> additional section records:
>>> 
>>>    % dig @ns1.nullroute.dev nullroute.dev. type65
>>> 
>>>   ; <<>> DiG 9.16.4-Debian <<>> @ns1.nullroute.dev nullroute.dev. type65
>>>   ; (1 server found)
>>>   ;; global options: +cmd
>>>   ;; Got answer:
>>>   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18948
>>>   ;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>>   ;; WARNING: recursion requested but not available
>>> 
>>>   ;; QUESTION SECTION:
>>>   ;nullroute.dev.			IN	TYPE65
>>> 
>>>   ;; ANSWER SECTION:
>>>   nullroute.dev.		300	IN	TYPE65	\# 21 00010000010006026832026833000400042D4D6042
>>> 
>>>   ;; ADDITIONAL SECTION:
>>>   nullroute.dev.		300	IN	A	198.51.100.1
>>> 
>>> But if I go through a resolver the additional section seems to be stripped:
>>> 
>>>    % dig @8.8.8.8 nullroute.dev. type65 
>>> 
>>>   ; <<>> DiG 9.16.4-Debian <<>> @8.8.8.8 nullroute.dev. type65
>>>   ; (1 server found)
>>>   ;; global options: +cmd
>>>   ;; Got answer:
>>>   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62418
>>>   ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>> 
>>>   ;; OPT PSEUDOSECTION:
>>>   ; EDNS: version: 0, flags:; udp: 512
>>>   ;; QUESTION SECTION:
>>>   ;nullroute.dev.			IN	TYPE65
>>> 
>>>   ;; ANSWER SECTION:
>>>   nullroute.dev.		299	IN	TYPE65	\# 21 00010000010006026832026833000400042D4D6042
>>> 
>>> I tried a few other public resolvers and I see the same. If this is the actual
>>> behavior of resolvers (rather than just an artifact of my experiment's setup)
>>> then adding additional section wouldn't seem to provide much benefit for
>>> "end-user" clients (say, a browser).
>> 
>> I’m trying to determine if you are serious here.
> 
> Yes, I was serious.
> 
>> Did you honestly expect recursive servers that know about HTTPS and SVBC, had
>> hence have code to add the addition section records to the response, to have
>> been deployed in the 3 weeks since the type codes have been assigned?
> 
> No, that's not at all what I was expecting. I was just trying to figure who this
> would benefit since it wasn't completely clear to me from your email, and I
> wasn't previously aware of the resolvers behaviour regarding additional section
> (TIL I guess).
> 
> Maybe I wasn't clear either, but In my email I asked:
> 
>    Is the expectation that additional section would help resolvers reduce the
>    number of queries rather than the other DNS clients?
> 
> Reading between the lines, your reply seems to confirm that indeed what you are
> expecting is that it would help resolver.
> 
> Cheers

The benefit comes when the chains look like this with possible CNAMEs in the middle.

HTTPS (alias form) -> HTTPS (Service form) -> Addresses

It’s not the first lookup that sees the benefit at this time.  It would be nice if
we get to the stage where we are with SMTP that almost all delivery domains there is
a MX record.  That takes education to fix for HTTPS.  For new services its just a
matter of says SVCB is SHOULD.  

The alias to service form lookups is where you should see the benefit. 

Note recursive servers can prefetch on cache misses for additional data and even
stall the response to fill up the additional section.  The following is a experimental
branch for BIND 9 that does that for SRV.

https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/449

There is nothing that actually prevents recursive servers vendors shipping code like this
which knows about HTTPS and SVCB.  Now that merge request and the HTTPS/SVCB merge request
handle CNAMEs slightly differently so I don’t intend to merge that as is but parts of that
are quite likely to make it into future version of BIND.

There does have to be limits on the amount of prefetching a single query can trigger however
so that is doesn’t get weaponised.  Doing A and AAAA prefetches on HTTPS alias form targets
need to not be needed.

>> Especially so when parameters like “mandatory” have only appeared
>> in the latest draft on July 13?  Add to that these records have significantly different
>> additional section processing to any other type.  It’s not just lookup the type by name
>> and add it to the additional section which.  It adding CNAMEs, which no other record
>> requires, and loop prevention code as well. It’s protecting against effectively infinite
>> chains.
>> 
>> It’s also adding code to detect and these records in responses and decide if they are
>> appropriate.  Again the rules for doing this differ in design from any other deployed
>> type.
>> 
>> You can add to all of this, a sense that the records are still not stable and really
>> should not have had type codes assigned when they where.  There was no stable reference
>> for “mandatory” when they where assigned.  IANA references draft-ietf-dnsop-svcb-https-00
>> which doesn’t contain “mandatory”.  The draft was, and potentially still is, not stable
>> enough for permanent code points.  I’m just hoping that we don’t get into serious
>> interoperability issues between implementations because of this.  A -00 server can accept
>> but not verify a record produced by a -01 server over the wire.  A -00 server can’t accept
>> all records, in presentation form, produced by -01 sources.  Do -01 sources now have to
>> emit ‘key0=“…”’ for mandatory to work around this incompatibility?  I suspect not as any
>> -00 servers will be replaced, but there is alway the possibility that someone will come
>> along and implement HTTPS and SVCB against -00 assuming that the description of the
>> records there is complete enough (which it clearly isn’t).
>> 
>>> Is the expectation that additional section would help resolvers reduce the
>>> number of queries rather than the other DNS clients? I guess other clients would
>>> still need to query A/AAAA and HTTPS in parallel as they don't know whether
>>> there is an HTTPS record at all.
>>> 
>>> In any case we don't have plans right now to implement this on Cloudflare's DNS
>>> servers, but it's certainly possible. I will discuss this with our DNS people
>>> and see what they think.
>>> 
>>> Cheers
>>> 
>>>> We need to get to the state where HTTPS/SVBC alias form always reaches a HTTPS/SVBC
>>>> service form.  When we are mostly in that state we can stop doing A and AAAA queries
>>>> along side the HTTPS/SVBC query for names in the HTTPS/SVBC alias form and take the
>>>> RTT hit on the occasional NODATA response.  To get to that state we need the DNS
>>>> servers of the content providers to be HTTPS/SVBC aware and to populate the additional
>>>> section whenever possible.
>>>> 
>>>> BIND’s HTTPS/SVBC implementation adds A, AAAA, CNAME, and HTTPS/SVBC records and
>>>> looks for them in the response.  I would expect all HTTPS/SVBC aware clients to
>>>> look for these records in the response.  At the moment we don’t look for DNAME in
>>>> the additional section nor do we add it because, quite frankly, they should not be
>>>> there in any sensible deployment.  DNAME in the answer section is expected.
>>>> 
>>>> Mark
>>>> 
>>>>>>> On 17 Jul 2020, at 01:13, Alessandro Ghedini <alessandro@ghedini.me> wrote:
>>>>>>> 
>>>>>>> Hello,
>>>>>>> 
>>>>>>> Just a quick note that we have started serving "HTTPS" DNS records from
>>>>>>> Cloudflare's authoritative DNS servers. Our main use-case right now is
>>>>>>> advertising HTTP/3 support for those customers that enabled that feature (in
>>>>>>> addition to using Alt-Svc HTTP headers).
>>>>>>> 
>>>>>>> If anyone is interested in trying this out you can query pretty much all domains
>>>>>>> served by Cloudflare DNS for which we terminate HTTP.
>>>>>>> 
>>>>>>> For example:
>>>>>>> 
>>>>>>> % dig blog.cloudflare.com type65
>>>>>>> 
>>>>>>> ; <<>> DiG 9.16.4-Debian <<>> blog.cloudflare.com type65
>>>>>>> ;; global options: +cmd
>>>>>>> ;; Got answer:
>>>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17291
>>>>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>>>>>> 
>>>>>>> ;; OPT PSEUDOSECTION:
>>>>>>> ; EDNS: version: 0, flags:; udp: 4096
>>>>>>> ;; QUESTION SECTION:
>>>>>>> ;blog.cloudflare.com.		IN	TYPE65
>>>>>>> 
>>>>>>> ;; ANSWER SECTION:
>>>>>>> blog.cloudflare.com.	300	IN	TYPE65	\# 76 000100000100150568332D32390568332D32380568332D3237026832 0004000868121A2E68121B2E00060020260647000000000000000000 68121A2E26064700000000000000000068121B2E
>>>>>>> 
>>>>>>> Cheers
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> DNSOP mailing list
>>>>>>> DNSOP@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>>>> 
>>>>>> -- 
>>>>>> Mark Andrews, ISC
>>>>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>>>>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>>>>>> 
>>>> 
>>>> -- 
>>>> Mark Andrews, ISC
>>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>> 
>> -- 
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email