Re: [DNSOP] unsolicited HTTPSSVC responses
Eric Orth <ericorth@google.com> Wed, 27 May 2020 16:07 UTC
Return-Path: <ericorth@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE2413A0F02 for <dnsop@ietfa.amsl.com>; Wed, 27 May 2020 09:07:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07_pi7FISiED for <dnsop@ietfa.amsl.com>; Wed, 27 May 2020 09:07:19 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D718F3A0EFC for <dnsop@ietf.org>; Wed, 27 May 2020 09:07:18 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id s8so24512795wrt.9 for <dnsop@ietf.org>; Wed, 27 May 2020 09:07:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2iPTOCcpZ653vNvnoLt1+NEqNIJnPGkx7HfTpZJ2tOY=; b=sQp/hYtiq76Exalu4iFljVrzY/hpWIzyhA7TFdAE4tLJN104XjEC1A+sChfdTfyoMa n0734vYJcCvE3aV6zVMAxrVJob0Tlpx9jqJ7OrDQkFHv9rRZgOkTi8prE82uvctzWvlP 07RAYM6PmyE58Z/KcbYQ3WZ81h9p2VuMi6Rzq6TXn+1yvskIhYEfQpS9I5IhOPbq47q2 jIrhfGB6LEaA0IkZfKgStO1I9K+0o8y7pYiUcEWi88sWQZzXCV3sSr6qCx+D1mDOEbCP dCgWPQw9oQARKTNAGbCXt7gxS5LvR+kPfuNo4FWXaXiXH9NsEgLH2mKOjJRsy59n/5BJ V6Cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2iPTOCcpZ653vNvnoLt1+NEqNIJnPGkx7HfTpZJ2tOY=; b=m/IvrFy1bqawDFsNsuePU9atbraDWkLjTv4xEtQ3sCwwnRQOFVJeRPN27UIpdm5KTC 8z92edPTHaA1C03zPD6ketS2IeFyNQMzml8jKXFooU+EgSwOr1++hcCtkebzfbOgos15 Kz380Dh8gC+nYadJriNN/9kG7qN8SrbmA/HIK1Hh/TcA8ZvOOUOgurcxA48HCBCaiavr bUNjYWau+UQB1y8CBJuY4Ef5MIuBS4uyXmp7OIZ/YlDn6bGmzgYDa91nzMESzfnasArr qt04ZDUoyinS9r8VszcRk8/F/O1He9kC0wQJsU1mJCia54RjD1TjlCOdQX883EQJeYQm CCeQ==
X-Gm-Message-State: AOAM533pRy+8Q0g2qJMv2Yzp/KG4LLa9qjyEFTVHLyuRUMMtje9fQTFW syvc0uiaeee5TOvPXL/9dOmV+vvYM1prc5Z37FpdHGL0
X-Google-Smtp-Source: ABdhPJwh3krSdtNXHtdGxwtnOblmGosQQABxMx+EeZYZ9/9lsVZcODHtq1jN3enR8bFHn7AmLylTZDWm4IMPNIBOGLg=
X-Received: by 2002:adf:e64b:: with SMTP id b11mr24535693wrn.402.1590595636971; Wed, 27 May 2020 09:07:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAMOjQcHAKC6ge2te8eqPz3JFmmLrpBoTSt2yKKxFXHpQEyjLqg@mail.gmail.com> <1852098.ajqZCkXiOD@linux-9daj>
In-Reply-To: <1852098.ajqZCkXiOD@linux-9daj>
From: Eric Orth <ericorth@google.com>
Date: Wed, 27 May 2020 12:07:06 -0400
Message-ID: <CAMOjQcHbiFQr7iKL70WaPEsbH9yoJEhQzxxamCC98h1wQd_-qQ@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ecc88c05a6a36730"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZM9UcVphYma53t1gGGJzNah7ny0>
Subject: Re: [DNSOP] unsolicited HTTPSSVC responses
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 16:07:29 -0000
On Tue, May 26, 2020 at 7:05 PM Paul Vixie <paul@redbarn.org> wrote: > On Tuesday, 26 May 2020 19:43:27 UTC Eric Orth wrote: > > One of my colleagues recently brought up the idea of suggesting > recursives > > add additional HTTPSSVC records into responses for A/AAAA queries as a > way > > to make HTTPSSVC more available for cases where a stub is hesitant to > make > > additional queries out of concern for bad behavior from bad middleboxes > (a > > frequent concern for Chrome when not using DoH). My initial impression > is > > that it's not a reasonable idea, but I wanted to bring it here to DNSOP > in > > case anybody has further ideas to make it workable. So any relevant > > thoughts or concerns from anybody here? > > proposals exist going way back to add AAAA to additional data for answers > of > type A, and to add A to additional data for answers of type AAAA. this is > not > different from adding A and AAAA to additional data for answers of MX and > SRV, > which already happens. your proposal fits the same mold, which is that the > spec neither requires nor prohibits it. however, the client API likely > does > not have a way to benefit from the additional data in a stub response. Not a blocking concern for Chrome because in many cases it uses a built-in stub resolver that could easily read anything it wants out of the responses. But it certainly limits whether or not we would try to convince recursive operators to do this if it is likely to only be of benefit to Chrome. Also exacerbates all the concerns around things not being ideal if the stub is not going to use the HTTPSSVC if even less stubs are able to use it. > see > getdnsapi.net for a representative example of something that can only > tell you > answers to the question you asked, even if it knows more, and won't keep > the > response in state just in case your next question could also be answered > by > it. getdnsapi has a return_both_v4_and_v6 extension but would need another > API > change to support HTTPSSVC. > > for SMTP senders to benefit from the additional AAAA/A data in MX answers, > they have to call a lower level API such as res_nsend() and then walk > through > the response to see what they actually got, in hopes of not needing to > make a > second query for addresses (or a second and third, if V6 and V4 are > available.) > > so, this way lies madness, and the solution we see most often is a > host-level > cache of DNS results. the old INN (usenet net news) server had one of > these, > and all modern browsers have one. many of us simply run a validating > iterative > caching recursive resolver on our hosts, since it's not much code by > modern > standards. but in all such cases we don't have a good way to retrieve more > than one kind of data in a single upstream DNS round trip. QDCOUNT>1 is > not > well defined and is broadly unimplemented. various other > multiple-questions > proposals have been made but nothing gets traction. > > > The obvious problems I could think of (all basically along the theme of > it > > not being ideal when the stub might not even care about HTTPSSVC): > > > > - Performance implications if the recursive has to retrieve HTTPSSVC > or > > follow alias chains. Maybe not as bad if only done opportunistically > > when the recursive happens to already have everything in cache. > > - Polluting DNS for non-browsers. Maybe not as bad if SVCB instead of > > HTTPSSVC, but this would likely only be of use for web browsers which > are > > obviously not the only queryers of A/AAAA. > > - Could lead to lots of unnecessary truncation, especially for large > > records containing ESNI data. > > your self-criticisms are all valid in my opinion. however, i think it > would be > fine to recommend in the HTTPSSVC draft that the necessary subsidiary data > like AAAA or A or SVCB all be sent, both in authoritative and non- > authoritative responses, when the qtype is HTTPSSVC and the responder > knows > the additional data (that is, it should not make extra queries to find it > just > for additional data reasons.) this will push UDP/53 DNS into either TCP/53 > DNS > (via truncation) or TCP/853 DNS (therefore incenting adoption of DoT) or > even > TCP/443 DNS (DoH) or UDP/443 DNS (DoHoQ). > > long answers are our future. if this data is going to be nec'y to make the > primary answer useful, then pre-seeding it is a net good. some day our > descendants will break the tyranny of MTU 1500, and thank us for any > prework > that brought the data their apps needed closer and with fewer round trips. > > -- > Paul > > >
- [DNSOP] unsolicited HTTPSSVC responses Eric Orth
- Re: [DNSOP] unsolicited HTTPSSVC responses Paul Vixie
- Re: [DNSOP] unsolicited HTTPSSVC responses Ben Schwartz
- Re: [DNSOP] unsolicited HTTPSSVC responses Paul Vixie
- Re: [DNSOP] [Ext] unsolicited HTTPSSVC responses Paul Hoffman
- Re: [DNSOP] unsolicited HTTPSSVC responses Petr Špaček
- Re: [DNSOP] unsolicited HTTPSSVC responses Ray Bellis
- Re: [DNSOP] unsolicited HTTPSSVC responses Eric Orth
- Re: [DNSOP] [Ext] unsolicited HTTPSSVC responses Eric Orth
- Re: [DNSOP] unsolicited HTTPSSVC responses Eric Orth
- Re: [DNSOP] unsolicited HTTPSSVC responses Ray Bellis
- Re: [DNSOP] [Ext] unsolicited HTTPSSVC responses Tony Finch
- [DNSOP] Multi-QTYPES (was: unsolicited HTTPSSVC r… Shane Kerr
- Re: [DNSOP] Multi-QTYPES (was: unsolicited HTTPSS… Petr Špaček
- Re: [DNSOP] Multi-QTYPES (was: unsolicited HTTPSS… Vladimír Čunát
- Re: [DNSOP] Multi-QTYPES (was: unsolicited HTTPSS… Joe Abley
- Re: [DNSOP] Multi-QTYPES (was: unsolicited HTTPSS… Eric Orth
- Re: [DNSOP] Multi-QTYPES (was: unsolicited HTTPSS… Petr Špaček
- Re: [DNSOP] Multi-QTYPES (was: unsolicited HTTPSS… Petr Špaček
- Re: [DNSOP] Multi-QTYPES (was: unsolicited HTTPSS… Eric Orth
- Re: [DNSOP] unsolicited HTTPSSVC responses fujiwara