Re: [DNSOP] SVCB and HTTPSSVC records: draft-nygren-dnsop-svcb-httpssvc-00

Ben Schwartz <> Tue, 24 September 2019 15:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 356941208A9 for <>; Tue, 24 Sep 2019 08:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id O42jxI7-2a_z for <>; Tue, 24 Sep 2019 08:35:20 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E4763120829 for <>; Tue, 24 Sep 2019 08:35:19 -0700 (PDT)
Received: by with SMTP id j4so5463000iog.11 for <>; Tue, 24 Sep 2019 08:35:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4/hfRn4yFhPSCJqzFDhunl66dPZhSuG8qIYSfuAudXA=; b=wG5vdua74iD7ay47hXMczg99NtWG4JKvdy0lfMOuBkT/jTgW+OUVkC4NUf4vS/288t MHDvq4qbk6Nb/IUmell8dnoJmDuMAd6YbTVW198tJV+/dbk5fpAvtujOBZr/WiDNhcDT j9tW1yQQM7A3JAT+5+c2EJyz+tFKUFoudi+HWEFX3GQGMjKFuZ1qZzrXTkWltTq2hYHR SEjTrPQKPgUGZ7oQG0KY3qmyOWDKc6uWiwRrXBfOITIT/lP1ttKAjODwXW5OHDc23HRs KhJlBqRq/KWnJm5/ovZ8wvz/YKibS1UtQH+tcW7AyrmhuRe/5c8P8pX2UtvKqFy/WK5q YFmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4/hfRn4yFhPSCJqzFDhunl66dPZhSuG8qIYSfuAudXA=; b=n3y1/mJUTPnkBOxjB8J9vQn/gGNjYpGsxN/yhSZpNUi7ap/mtzg98x3smEnp04QWUT XKeNoeu+QizYkqiFPeS3eZfGUeukinepGtB3ao01e9fcBTzpVyzkNjhA7pSdgYz1TyCl dbFRMfNNJEfarcnzWoiHt4TSHaFnYLZH72z5GezyKGpWrChKkTULM2lWku3f7E/+CpcA yeppbpyHMTBWkjHyciF5sBcKSygI4lZ0C38i5/Ru9VZiucG3Qd++KTV07zaaaoP87t7G dIG5TtJLu1qcrjUkSPSP5uN6YvRfI8Jg8F59U0uB2LVPgr2DsCM6WnGEMH6NGCPA5zJ8 IMkg==
X-Gm-Message-State: APjAAAXzPJT4LkgYoWJFUyOkaV6hbLsVe98GhUukmEvMXcSW7LYi6KYO WBj2ayiJhK3qo9nHTEq/Q381wyhGao087RloSlWsRQ==
X-Google-Smtp-Source: APXvYqydI/NDtxCZvtJgN6B5YPbeAuu9toMvQN6niUMEWe3nzn44f5aKz7j6y3MgQofhrfHhbOeKXCgk6f5FMfmeVVM=
X-Received: by 2002:a6b:7b4a:: with SMTP id m10mr4062087iop.163.1569339318847; Tue, 24 Sep 2019 08:35:18 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Ben Schwartz <>
Date: Tue, 24 Sep 2019 11:35:06 -0400
Message-ID: <>
To: Bob Harold <>
Cc: Erik Nygren <>, dnsop WG <>, Mike Bishop <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000aa628205934e48dd"
Archived-At: <>
Subject: Re: [DNSOP] SVCB and HTTPSSVC records: draft-nygren-dnsop-svcb-httpssvc-00
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Sep 2019 15:35:23 -0000

On Tue, Sep 24, 2019 at 10:23 AM Bob Harold <> wrote:

> On Tue, Sep 24, 2019 at 9:18 AM Erik Nygren <> wrote:
>> Following discussions around the "HTTPSSVC" record proposal in Montreal
>> with the DNSOP, HTTP and TLS WGs, we've updated what was previously
>> "draft-nygren-httpbis-httpssvc-03".  The new version is
>> "draft-nygren-dnsop-svcb-httpssvc-00".   This incorporates much of the
>> feedback from the WG discussions, as well as feedback from discussions with
>> the TLS WG (as we'd like to see this replace the need for a separate ESNI
>> record).
>> In particular, it generalizes the record into a new "SVCB" record which
>> doesn't have any protocol-specific semantics.  It also defines an
>> "HTTPSSVC" record that is compatible with SVCB (sharing a wire-format and
>> parameter registry) and which defines the HTTP(S)-specific semantics such
>> as bindings to Alt-Svc.  Other protocols can either define bindings
>> directly to SVCB or can define their own RR Type (which should only ever be
>> needed if there is a need to use the record at a zone apex).
>> We'd like to see this adopted by the DNSOP WG.  Until then, issues and
>> PRs can go against:
>> Major changes from "draft-nygren-httpbis-httpssvc-03" include:
>> * Separation into the SVCB and HTTPSSVC RR Types  (and separated all of
>> the HTTPS-specific functionality and text to its own portion of the
>> document).
>> * Elimination of the SvcRecordType field (and making the SvcRecordType
>> implicit)
>> * Changing the wire format of parameters from being in Alt-Svc text
>> format to a more general binary key/value pair format (with a mapping to
>> Alt-Svc for HTTPSSVC).
>> * Adding optional "ipv4hint" and "ipv6hint" parameters.
>> * Quite a few cleanups and clarifications based on input (and we
>> undoubtedly have more left to go)
>> This retains support for all of the use-cases that the previous HTTPSSVC
>> record had (such as for covering the ANAME / CNAME-at-the-zone-apex
>> use-case).
>> Feedback is most welcome.  If the TLS WG is going to use this instead of
>> a separate ESNI record, there is a desire to make progress on this fairy
>> quickly.
>>        Erik
>> ---------- Forwarded message ---------
>> From: <>
>> Date: Mon, Sep 23, 2019 at 7:01 PM
>> Subject: New Version Notification for
>> draft-nygren-dnsop-svcb-httpssvc-00.txt
>> To: Mike Bishop <>be>, Erik Nygren <>rg>,
>> Benjamin Schwartz <>
>> A new version of I-D, draft-nygren-dnsop-svcb-httpssvc-00.txt
>> has been successfully submitted by Benjamin Schwartz and posted to the
>> IETF repository.
>> Name:           draft-nygren-dnsop-svcb-httpssvc
>> Revision:       00
>> Title:          Service binding and parameter specification via the DNS
>> Document date:  2019-09-22
>> Group:          Individual Submission
>> Pages:          33
>> URL:
>> Status:
>> Htmlized:
>> Htmlized:
>> Abstract:
>>    This document specifies the "SVCB" and "HTTPSSVC" DNS resource record
>>    types to facilitate the lookup of information needed to make
>>    connections for origin resources, such as for HTTPS URLs.  SVCB
>>    records allow an origin to be served from multiple network locations,
>>    each with associated parameters (such as transport protocol
>>    configuration and keying material for encrypting TLS SNI).  They also
>>    enable aliasing of apex domains, which is not possible with CNAME.
>>    The HTTPSSVC DNS RR is a variation of SVCB for HTTPS and HTTP
>>    origins.  By providing more information to the client before it
>>    attempts to establish a connection, these records offer potential
>>    benefits to both performance and privacy.
>>    TO BE REMOVED: This proposal is inspired by and based on recent DNS
>>    usage proposals such as ALTSVC, ANAME, and ESNIKEYS (as well as long
>>    standing desires to have SRV or a functional equivalent implemented
>>    for HTTP).  These proposals each provide an important function but
>>    are potentially incompatible with each other, such as when an origin
>>    is load-balanced across multiple hosting providers (multi-CDN)..
>>    Furthermore, these each add potential cases for adding additional
>>    record lookups in-addition to AAAA/A lookups.  This design attempts
>>    to provide a unified framework that encompasses the key functionality
>>    of these proposals, as well as providing some extensibility for
>>    addressing similar future challenges.
>>    TO BE REMOVED: The specific name for this RR type is an open topic
>>    for discussion.  "SVCB" and "HTTPSSVC" are meant as placeholders as
>>    they are easy to replace.  Other names might include "B", "SRV2",
>>    "SVCHTTPS", "HTTPS", and "ALTSVC".
> Looks good to me, hope it gets used!
> Several places have text like:
> 4. DNS Server Behavior
> 2.
> "If at least one record is in AliasForm, ignore all other SVCB records in
> the RRSet."
> While the records must be 'ignored', it might be noted that they must
> still be included in the DNS response, if DNSSEC is in use, so that the
> signatures work, I think?

True.  I've added this to our tracker:

> And my opinion - it should encourage use of DNSSEC.
> --
> Bob Harold