Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-https-04.txt
Willem Toorop <willem@nlnetlabs.nl> Mon, 22 March 2021 16:30 UTC
Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 960203A0C40 for <dnsop@ietfa.amsl.com>; Mon, 22 Mar 2021 09:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16Kh4F0-IrSP for <dnsop@ietfa.amsl.com>; Mon, 22 Mar 2021 09:30:11 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:2d:8::218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F14C83A0C49 for <dnsop@ietf.org>; Mon, 22 Mar 2021 09:30:10 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 9E3EC600D0; Mon, 22 Mar 2021 16:30:01 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1616430600; bh=BtMLoo7abIGFos8VJKMKrKmukxLSTaVYekW9lV2BIkk=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=kZZjRuU7wbL92LktY1jF262PHu5kUm4J2QT/bLWo8dZraM2yFa+cnEjw0MAeOGFZN HQ96dUH9Zzcl7aaGJ4NVswkWt03Jbkvuiv63N7vE5qZ3zrolj/mLu26CzIsfdz76H3 QwvHHNfOHoVElKOuVDwz8pm2TK+xDiTAI4JIZ2DuIiVYGFjjkMhEqsKfgT+UXQmImM LrGtLMPCujP0Lo3R9aN9UvQMe2iIcWZAa5paI+ZGsdjiGSAbU/+kNHAydjhm1Wl97C cRJCy67sFMrAa/FWUErY1qj7/pWl4hZ7iKBSnF3c1Eox9iI9d8bEie7XQnnUG4n0AE pnEEKxVX1/XTg==
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: dnsop <dnsop@ietf.org>, Pieter Lexis <pieter.lexis@powerdns.com>
References: <161600103837.12472.4123883592260330100@ietfa.amsl.com> <CAHbrMsA3NzpY9RFNhWsvYgQ0hqcqEDuMUrw7HmGBJZ1+uaLtNA@mail.gmail.com> <600ED9AF-2C6F-429F-AF39-445E29E686EF@apple.com> <4DFDEFA6-4132-42CA-8DA7-D0537C5FC29A@isc.org> <99cdd98b-ac59-c96c-a73f-a58729c2ca52@nic.cz> <fbeb99ad-9ccc-1050-a0d2-3b6e5287ed7a@nlnetlabs.nl> <214c21bc-2d05-0c58-ba0f-4891bae0e343@powerdns.com> <b6b65c08-55c1-9f2c-a33b-29ab8e806d45@nlnetlabs.nl> <adad7e8a-280f-3ad6-4dac-eec954fe01bf@powerdns.com> <047911f1-87b8-e798-d361-9927bef7e10c@nlnetlabs.nl> <CAHbrMsCr=+Gdco9pgSeNL82Uz8162JnTDNc+LMMMkUOXsRi-RA@mail.gmail.com>
From: Willem Toorop <willem@nlnetlabs.nl>
Message-ID: <8872b377-69a1-d9dd-609e-f0258aef46aa@nlnetlabs.nl>
Date: Mon, 22 Mar 2021 17:29:58 +0100
MIME-Version: 1.0
In-Reply-To: <CAHbrMsCr=+Gdco9pgSeNL82Uz8162JnTDNc+LMMMkUOXsRi-RA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cdZo-jkpVik9ulk6BUpAcWSUP3w>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-https-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 16:30:16 -0000
Op 22-03-2021 om 15:50 schreef Ben Schwartz: > On Mon, Mar 22, 2021 at 5:41 AM Willem Toorop <willem@nlnetlabs.nl > <mailto:willem@nlnetlabs.nl>> wrote: > > But what about the keys in the "mandatory" SvcParam? Should they be > sorted automatically? Or should the parser produce an error if they are > not sorted? Currently both both Net::DNS and ldns sort them for you. > > > The draft says: > > The presentation "value" SHALL be a comma-separated list > (Appendix A.1) of one or more valid SvcParamKeys, either by their > registered name or in the unknown-key format (Section 2.1). Keys MAY > appear in any order, but MUST NOT appear more than once. > > and > > In wire format, the keys are represented by their numeric values in > network byte order, concatenated in ascending order. > > Hopefully that's clear enough. Sure, so this: x8.example. 3600 IN SVCB 16 foo.example.org. ( key853="test" key123="some other text" ipv4hint=192.0.2.1 mandatory=ipv4hint,alpn,key853,key123 alpn=h2,h3-19 ipv6hint=2001:db8::1.2.3.4,2001:db8:: ) is equivalent with x8.example. 3600 IN SVCB ( \# 115 0010 03666f6f076578616d706c65036f7267 00 ; foo.example.org. 0000 0008 00010004007b0355 0001 0009 0268320568332d3139 0004 0004 c0000201 0006 0020 20010db8000000000000000001020304 20010db8000000000000000000000000 ; key123=... 007b 000f 736f6d65206f746865722074657874 ; key853=... 0355 0004 74657374 ) Would be good to have that in a test vector ;). > What if keys appear double in the "mandatory" SvcParam? Should the > parser produce an error or remove the doubles? Currently ldns removes > them, but Net::DNS produces and error. > > > I think authoritative servers "SHOULD" enforce the zone file > requirements to the extent possible, but responsibility ultimately lies > with the zone owner. Excellent! How SHOULD it enforce? By failing to load or by fixing. Most here tilt to *failing to load*, so these should fail to load: ; Forbidden key in mandatory x9.example. 3600 IN SVCB 0 . mandatory=key0 x10.example. 3600 IN SVCB ( \# 9 0000 00 0000 0002 0000 ) ; Double key in mandatory x11.example. 3600 IN SVCB 0 . ( ipv4hint=192.0.2.1 alpn=h2 mandatory=ipv4hint,alpn,key4 ) x12.example. 3600 IN SVCB ( \# 28 0000 00 0000 0006 000100040004 0001 0003 026832 0004 0004 c0000201 ) ; Key without SvcParam in mandatory x13.example. 3600 IN SVCB 0 . ( ipv4hint=192.0.2.1 alpn=h2 mandatory=ipv6hint,alpn,key4 ) x14.example. 3600 IN SVCB ( \# 28 0000 00 0000 0006 000100040006 0001 0003 026832 0004 0004 c0000201 ) I think it would be good to have this added to the test-vectors appendix. Should this fail to load too? ; Wireformat has SvcParams unordered x15.example. 3600 IN SVCB ( \# 26 0000 00 0004 0004 c0000201 0001 0003 026832 0000 0004 00010004 ) or am I stretching it now... Cheers, -- Willem > > What if keys that may not appear in "mandatory" (like key0 or mandatory > itself) appear in the "mandatory" SvcParam? Should they be removed > automatically or should they produce and error. > > What if keys that are listed in "mandatory" do not appear in the RR. > > > The draft says: > > For self- > consistency (Section 2.4.3), listed keys MUST also appear in the > SvcParams. > > and (in Section 2.4.3) > > Zone-file implementations > SHOULD enforce self-consistency. Clients MUST reject any RR whose > recognized SvcParams are not self-consistent, and MAY reject the > entire RRSet. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] I-D Action: draft-ietf-dnsop-svcb-https-0… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Tommy Pauly
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Mark Andrews
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… libor.peltan
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Pieter Lexis
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Willem Toorop
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Miek Gieben
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Pieter Lexis
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Willem Toorop
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Pieter Lexis
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Peter van Dijk
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Dick Franks
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Willem Toorop
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Mark Andrews
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Willem Toorop
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Pieter Lexis