IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-https-04.txt

Willem Toorop <willem@nlnetlabs.nl> Mon, 22 March 2021 16:30 UTC

Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 960203A0C40 for <dnsop@ietfa.amsl.com>; Mon, 22 Mar 2021 09:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16Kh4F0-IrSP for <dnsop@ietfa.amsl.com>; Mon, 22 Mar 2021 09:30:11 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:2d:8::218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F14C83A0C49 for <dnsop@ietf.org>; Mon, 22 Mar 2021 09:30:10 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 9E3EC600D0; Mon, 22 Mar 2021 16:30:01 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1616430600; bh=BtMLoo7abIGFos8VJKMKrKmukxLSTaVYekW9lV2BIkk=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=kZZjRuU7wbL92LktY1jF262PHu5kUm4J2QT/bLWo8dZraM2yFa+cnEjw0MAeOGFZN HQ96dUH9Zzcl7aaGJ4NVswkWt03Jbkvuiv63N7vE5qZ3zrolj/mLu26CzIsfdz76H3 QwvHHNfOHoVElKOuVDwz8pm2TK+xDiTAI4JIZ2DuIiVYGFjjkMhEqsKfgT+UXQmImM LrGtLMPCujP0Lo3R9aN9UvQMe2iIcWZAa5paI+ZGsdjiGSAbU/+kNHAydjhm1Wl97C cRJCy67sFMrAa/FWUErY1qj7/pWl4hZ7iKBSnF3c1Eox9iI9d8bEie7XQnnUG4n0AE pnEEKxVX1/XTg==
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: dnsop <dnsop@ietf.org>, Pieter Lexis <pieter.lexis@powerdns.com>
References: <161600103837.12472.4123883592260330100@ietfa.amsl.com> <CAHbrMsA3NzpY9RFNhWsvYgQ0hqcqEDuMUrw7HmGBJZ1+uaLtNA@mail.gmail.com> <600ED9AF-2C6F-429F-AF39-445E29E686EF@apple.com> <4DFDEFA6-4132-42CA-8DA7-D0537C5FC29A@isc.org> <99cdd98b-ac59-c96c-a73f-a58729c2ca52@nic.cz> <fbeb99ad-9ccc-1050-a0d2-3b6e5287ed7a@nlnetlabs.nl> <214c21bc-2d05-0c58-ba0f-4891bae0e343@powerdns.com> <b6b65c08-55c1-9f2c-a33b-29ab8e806d45@nlnetlabs.nl> <adad7e8a-280f-3ad6-4dac-eec954fe01bf@powerdns.com> <047911f1-87b8-e798-d361-9927bef7e10c@nlnetlabs.nl> <CAHbrMsCr=+Gdco9pgSeNL82Uz8162JnTDNc+LMMMkUOXsRi-RA@mail.gmail.com>
From: Willem Toorop <willem@nlnetlabs.nl>
Message-ID: <8872b377-69a1-d9dd-609e-f0258aef46aa@nlnetlabs.nl>
Date: Mon, 22 Mar 2021 17:29:58 +0100
MIME-Version: 1.0
In-Reply-To: <CAHbrMsCr=+Gdco9pgSeNL82Uz8162JnTDNc+LMMMkUOXsRi-RA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cdZo-jkpVik9ulk6BUpAcWSUP3w>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-https-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 16:30:16 -0000

Op 22-03-2021 om 15:50 schreef Ben Schwartz:
> On Mon, Mar 22, 2021 at 5:41 AM Willem Toorop <willem@nlnetlabs.nl
> <mailto:willem@nlnetlabs.nl>> wrote:
> 
>     But what about the keys in the "mandatory" SvcParam? Should they be
>     sorted automatically? Or should the parser produce an error if they are
>     not sorted? Currently both both Net::DNS and ldns sort them for you.
> 
> 
> The draft says:
> 
>    The presentation "value" SHALL be a comma-separated list
>    (Appendix A.1) of one or more valid SvcParamKeys, either by their
>    registered name or in the unknown-key format (Section 2.1).  Keys MAY
>    appear in any order, but MUST NOT appear more than once.
> 
> and
> 
>    In wire format, the keys are represented by their numeric values in
>    network byte order, concatenated in ascending order.
> 
> Hopefully that's clear enough.

Sure, so this:

x8.example.     3600    IN      SVCB    16 foo.example.org. (
        key853="test" key123="some other text"
        ipv4hint=192.0.2.1 mandatory=ipv4hint,alpn,key853,key123
        alpn=h2,h3-19 ipv6hint=2001:db8::1.2.3.4,2001:db8::
	)

is equivalent with

x8.example.	3600	IN	SVCB	( \# 115 0010
	03666f6f076578616d706c65036f7267 00	; foo.example.org.
	0000 0008 00010004007b0355
	0001 0009 0268320568332d3139
	0004 0004 c0000201
	0006 0020 20010db8000000000000000001020304
	          20010db8000000000000000000000000
	; key123=...
	007b 000f 736f6d65206f746865722074657874
	; key853=...
	0355 0004 74657374
	)

Would be good to have that in a test vector ;).

>     What if keys appear double in the "mandatory" SvcParam? Should the
>     parser produce an error or remove the doubles? Currently ldns removes
>     them, but Net::DNS produces and error.
> 
> 
> I think authoritative servers "SHOULD" enforce the zone file
> requirements to the extent possible, but responsibility ultimately lies
> with the zone owner.

Excellent! How SHOULD it enforce? By failing to load or by fixing.
Most here tilt to *failing to load*, so these should fail to load:

; Forbidden key in mandatory
x9.example.	3600	IN	SVCB	0 . mandatory=key0
x10.example.	3600	IN	SVCB	( \# 9 0000 00
	0000 0002 0000
	)

; Double key in mandatory
x11.example.	3600	IN	SVCB	0 . (
	ipv4hint=192.0.2.1 alpn=h2 mandatory=ipv4hint,alpn,key4
	)
x12.example.	3600	IN	SVCB	( \# 28 0000 00
	0000 0006 000100040004
	0001 0003 026832
	0004 0004 c0000201
	)

; Key without SvcParam in mandatory
x13.example.	3600	IN	SVCB	0 . (
	ipv4hint=192.0.2.1 alpn=h2 mandatory=ipv6hint,alpn,key4
	)
x14.example.	3600	IN	SVCB	( \# 28 0000 00
	0000 0006 000100040006
	0001 0003 026832
	0004 0004 c0000201
	)

I think it would be good to have this added to the test-vectors appendix.

Should this fail to load too?

; Wireformat has SvcParams unordered
x15.example.	3600	IN	SVCB	( \# 26 0000 00
	0004 0004 c0000201
	0001 0003 026832
	0000 0004 00010004
	)

or am I stretching it now...

Cheers,
-- Willem

> 
>     What if keys that may not appear in "mandatory" (like key0 or mandatory
>     itself) appear in the "mandatory" SvcParam? Should they be removed
>     automatically or should they produce and error.
> 
>     What if keys that are listed in "mandatory" do not appear in the RR.
> 
> 
> The draft says:
> 
>    For self-
>    consistency (Section 2.4.3), listed keys MUST also appear in the
>    SvcParams.
> 
> and (in Section 2.4.3)
> 
>    Zone-file implementations
>    SHOULD enforce self-consistency.  Clients MUST reject any RR whose
>    recognized SvcParams are not self-consistent, and MAY reject the
>    entire RRSet.
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email