Re: [DNSOP] SVCB and HTTPSSVC records: draft-nygren-dnsop-svcb-httpssvc-00

Ben Schwartz <bemasc@google.com> Tue, 24 September 2019 15:35 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 356941208A9 for <dnsop@ietfa.amsl.com>; Tue, 24 Sep 2019 08:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Level:
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O42jxI7-2a_z for <dnsop@ietfa.amsl.com>; Tue, 24 Sep 2019 08:35:20 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4763120829 for <dnsop@ietf.org>; Tue, 24 Sep 2019 08:35:19 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id j4so5463000iog.11 for <dnsop@ietf.org>; Tue, 24 Sep 2019 08:35:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4/hfRn4yFhPSCJqzFDhunl66dPZhSuG8qIYSfuAudXA=; b=wG5vdua74iD7ay47hXMczg99NtWG4JKvdy0lfMOuBkT/jTgW+OUVkC4NUf4vS/288t MHDvq4qbk6Nb/IUmell8dnoJmDuMAd6YbTVW198tJV+/dbk5fpAvtujOBZr/WiDNhcDT j9tW1yQQM7A3JAT+5+c2EJyz+tFKUFoudi+HWEFX3GQGMjKFuZ1qZzrXTkWltTq2hYHR SEjTrPQKPgUGZ7oQG0KY3qmyOWDKc6uWiwRrXBfOITIT/lP1ttKAjODwXW5OHDc23HRs KhJlBqRq/KWnJm5/ovZ8wvz/YKibS1UtQH+tcW7AyrmhuRe/5c8P8pX2UtvKqFy/WK5q YFmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4/hfRn4yFhPSCJqzFDhunl66dPZhSuG8qIYSfuAudXA=; b=n3y1/mJUTPnkBOxjB8J9vQn/gGNjYpGsxN/yhSZpNUi7ap/mtzg98x3smEnp04QWUT XKeNoeu+QizYkqiFPeS3eZfGUeukinepGtB3ao01e9fcBTzpVyzkNjhA7pSdgYz1TyCl dbFRMfNNJEfarcnzWoiHt4TSHaFnYLZH72z5GezyKGpWrChKkTULM2lWku3f7E/+CpcA yeppbpyHMTBWkjHyciF5sBcKSygI4lZ0C38i5/Ru9VZiucG3Qd++KTV07zaaaoP87t7G dIG5TtJLu1qcrjUkSPSP5uN6YvRfI8Jg8F59U0uB2LVPgr2DsCM6WnGEMH6NGCPA5zJ8 IMkg==
X-Gm-Message-State: APjAAAXzPJT4LkgYoWJFUyOkaV6hbLsVe98GhUukmEvMXcSW7LYi6KYO WBj2ayiJhK3qo9nHTEq/Q381wyhGao087RloSlWsRQ==
X-Google-Smtp-Source: APXvYqydI/NDtxCZvtJgN6B5YPbeAuu9toMvQN6niUMEWe3nzn44f5aKz7j6y3MgQofhrfHhbOeKXCgk6f5FMfmeVVM=
X-Received: by 2002:a6b:7b4a:: with SMTP id m10mr4062087iop.163.1569339318847; Tue, 24 Sep 2019 08:35:18 -0700 (PDT)
MIME-Version: 1.0
References: <156927967091.17209.1946223190141713793.idtracker@ietfa.amsl.com> <CAKC-DJi4EHz5CCAqRj_cYTVygiuo0s2QGaPLCct6e9Bh1mXaXQ@mail.gmail.com> <CA+nkc8CS+GtExP_UUPLAp2fU2kPR8qYAFqXUiU+pxT547OoiUw@mail.gmail.com>
In-Reply-To: <CA+nkc8CS+GtExP_UUPLAp2fU2kPR8qYAFqXUiU+pxT547OoiUw@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 24 Sep 2019 11:35:06 -0400
Message-ID: <CAHbrMsB0bNzYZWBw5tOcxiZhpHzuL825i20RTMDb6Ur8pYUsBQ@mail.gmail.com>
To: Bob Harold <rharolde@umich.edu>
Cc: Erik Nygren <erik+ietf@nygren.org>, dnsop WG <dnsop@ietf.org>, Mike Bishop <mbishop@evequefou.be>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000aa628205934e48dd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/c4jV3ezz0ffo7Stz9agBmKQ19hs>
Subject: Re: [DNSOP] SVCB and HTTPSSVC records: draft-nygren-dnsop-svcb-httpssvc-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2019 15:35:23 -0000

On Tue, Sep 24, 2019 at 10:23 AM Bob Harold <rharolde@umich.edu> wrote:

>
> On Tue, Sep 24, 2019 at 9:18 AM Erik Nygren <erik+ietf@nygren.org> wrote:
>
>> Following discussions around the "HTTPSSVC" record proposal in Montreal
>> with the DNSOP, HTTP and TLS WGs, we've updated what was previously
>> "draft-nygren-httpbis-httpssvc-03".  The new version is
>> "draft-nygren-dnsop-svcb-httpssvc-00".   This incorporates much of the
>> feedback from the WG discussions, as well as feedback from discussions with
>> the TLS WG (as we'd like to see this replace the need for a separate ESNI
>> record).
>>
>> In particular, it generalizes the record into a new "SVCB" record which
>> doesn't have any protocol-specific semantics.  It also defines an
>> "HTTPSSVC" record that is compatible with SVCB (sharing a wire-format and
>> parameter registry) and which defines the HTTP(S)-specific semantics such
>> as bindings to Alt-Svc.  Other protocols can either define bindings
>> directly to SVCB or can define their own RR Type (which should only ever be
>> needed if there is a need to use the record at a zone apex).
>>
>> We'd like to see this adopted by the DNSOP WG.  Until then, issues and
>> PRs can go against:  https://github.com/MikeBishop/dns-alt-svc
>>
>> Major changes from "draft-nygren-httpbis-httpssvc-03" include:
>>
>> * Separation into the SVCB and HTTPSSVC RR Types  (and separated all of
>> the HTTPS-specific functionality and text to its own portion of the
>> document).
>> * Elimination of the SvcRecordType field (and making the SvcRecordType
>> implicit)
>> * Changing the wire format of parameters from being in Alt-Svc text
>> format to a more general binary key/value pair format (with a mapping to
>> Alt-Svc for HTTPSSVC).
>> * Adding optional "ipv4hint" and "ipv6hint" parameters.
>> * Quite a few cleanups and clarifications based on input (and we
>> undoubtedly have more left to go)
>>
>> This retains support for all of the use-cases that the previous HTTPSSVC
>> record had (such as for covering the ANAME / CNAME-at-the-zone-apex
>> use-case).
>>
>> Feedback is most welcome.  If the TLS WG is going to use this instead of
>> a separate ESNI record, there is a desire to make progress on this fairy
>> quickly.
>>
>>        Erik
>>
>> ---------- Forwarded message ---------
>> From: <internet-drafts@ietf.org>
>> Date: Mon, Sep 23, 2019 at 7:01 PM
>> Subject: New Version Notification for
>> draft-nygren-dnsop-svcb-httpssvc-00.txt
>> To: Mike Bishop <mbishop@evequefou.be>be>, Erik Nygren <erik+ietf@nygren.org>rg>,
>> Benjamin Schwartz <bemasc@google.com>
>>
>>
>>
>> A new version of I-D, draft-nygren-dnsop-svcb-httpssvc-00.txt
>> has been successfully submitted by Benjamin Schwartz and posted to the
>> IETF repository.
>>
>> Name:           draft-nygren-dnsop-svcb-httpssvc
>> Revision:       00
>> Title:          Service binding and parameter specification via the DNS
>> (DNS SVCB and HTTPSSVC)
>> Document date:  2019-09-22
>> Group:          Individual Submission
>> Pages:          33
>> URL:
>> https://www.ietf.org/internet-drafts/draft-nygren-dnsop-svcb-httpssvc-00.txt
>> Status:
>> https://datatracker.ietf.org/doc/draft-nygren-dnsop-svcb-httpssvc/
>> Htmlized:
>> https://tools.ietf.org/html/draft-nygren-dnsop-svcb-httpssvc-00
>> Htmlized:
>> https://datatracker.ietf.org/doc/html/draft-nygren-dnsop-svcb-httpssvc
>>
>>
>> Abstract:
>>    This document specifies the "SVCB" and "HTTPSSVC" DNS resource record
>>    types to facilitate the lookup of information needed to make
>>    connections for origin resources, such as for HTTPS URLs.  SVCB
>>    records allow an origin to be served from multiple network locations,
>>    each with associated parameters (such as transport protocol
>>    configuration and keying material for encrypting TLS SNI).  They also
>>    enable aliasing of apex domains, which is not possible with CNAME.
>>    The HTTPSSVC DNS RR is a variation of SVCB for HTTPS and HTTP
>>    origins.  By providing more information to the client before it
>>    attempts to establish a connection, these records offer potential
>>    benefits to both performance and privacy.
>>
>>    TO BE REMOVED: This proposal is inspired by and based on recent DNS
>>    usage proposals such as ALTSVC, ANAME, and ESNIKEYS (as well as long
>>    standing desires to have SRV or a functional equivalent implemented
>>    for HTTP).  These proposals each provide an important function but
>>    are potentially incompatible with each other, such as when an origin
>>    is load-balanced across multiple hosting providers (multi-CDN)..
>>    Furthermore, these each add potential cases for adding additional
>>    record lookups in-addition to AAAA/A lookups.  This design attempts
>>    to provide a unified framework that encompasses the key functionality
>>    of these proposals, as well as providing some extensibility for
>>    addressing similar future challenges.
>>
>>    TO BE REMOVED: The specific name for this RR type is an open topic
>>    for discussion.  "SVCB" and "HTTPSSVC" are meant as placeholders as
>>    they are easy to replace.  Other names might include "B", "SRV2",
>>    "SVCHTTPS", "HTTPS", and "ALTSVC".
>>
>
> Looks good to me, hope it gets used!
>
> Several places have text like:
>
> 4. DNS Server Behavior
> 2.
> "If at least one record is in AliasForm, ignore all other SVCB records in
> the RRSet."
>
> While the records must be 'ignored', it might be noted that they must
> still be included in the DNS response, if DNSSEC is in use, so that the
> signatures work, I think?
>

True.  I've added this to our tracker:
https://github.com/MikeBishop/dns-alt-svc/issues/55


>
> And my opinion - it should encourage use of DNSSEC.
>
> --
> Bob Harold
>
>