Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt

Mark Andrews <marka@isc.org> Tue, 04 May 2021 02:07 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 272283A1E87 for <dnsop@ietfa.amsl.com>; Mon, 3 May 2021 19:07:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=YM/F8ihy; dkim=pass (1024-bit key) header.d=isc.org header.b=VU8/8Svc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t6TceAkJNJyN for <dnsop@ietfa.amsl.com>; Mon, 3 May 2021 19:07:28 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 602B63A1E85 for <dnsop@ietf.org>; Mon, 3 May 2021 19:07:28 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 312823AB02E; Tue, 4 May 2021 02:07:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1620094045; bh=VVOcDdh4q82zgRrE+AffDpxSkr1Y2yYNCWQxCoPpyfI=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=YM/F8ihyLq2dBCGs5zJgXg/mOHFqIQdMske66TLG6EZw8Y8aVygHbdX7QILC4V53z pNpz0Q7myasz0A9liFii66cablHEw9IDxCfo4fmqLbSFbyaQUHolr2r8ov/oSNk4YP zeg5ScI3vZAc0+V5GU+fgkDpuBBinWBRMd414g+g=
Received: from zmx1.isc.org (localhost.localdomain [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id F26D316005B; Tue, 4 May 2021 02:07:24 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id AC08E160064; Tue, 4 May 2021 02:07:24 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.2 zmx1.isc.org AC08E160064
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1620094044; bh=Ix/Wy+TnN66oZEiBpjHlgXVbr8BHx5ESTM1Kp6WFn5w=; h=Content-Type:Mime-Version:Subject:From:Date: Content-Transfer-Encoding:Message-Id:To; b=VU8/8SvcoVTZ4J1BWJGNALqgTuneOWUYwWbOTLvQLdx9rx7vYGTIA81W+Hrtcpi37 xOhDQE82D/cTsGHkdoXvQBPd1719XtWqiSguz0vUMl5lh8cCZDZ7XTWcyiwSkotbpx 3Gg43iVGdYYFGwD7EmuJkuHegMHb9shr/eHbYjk8=
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id EfSy5YY6htRZ; Tue, 4 May 2021 02:07:24 +0000 (UTC)
Received: from [172.30.42.99] (n49-177-132-25.bla3.nsw.optusnet.com.au [49.177.132.25]) by zmx1.isc.org (Postfix) with ESMTPSA id 5773A16005B; Tue, 4 May 2021 02:07:23 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAHbrMsDNUKzYC__R1z6yzt_9xxyp4Eov1FekumT9sDpFkmPVPw@mail.gmail.com>
Date: Tue, 04 May 2021 12:07:20 +1000
Cc: Dick Franks <rwfranks@gmail.com>, dnsop <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@icann.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1832F257-8ED4-43CF-B82E-E6F675F0DF2E@isc.org>
References: <161901308063.21005.875603362157576926@ietfa.amsl.com> <CAHbrMsA4TMfE+3LAT+un0FF3DGXKsYB1zAtvUwf2YKr97mJ+sQ@mail.gmail.com> <87B615B4-9CA3-4060-93C2-E4B953C11FB2@akamai.com> <CAHbrMsDaqrQ+XDO4z395tC_yOH4MBH8OmoH8zTXWEHfcDC1+Ew@mail.gmail.com> <6245BB4F-4E2F-435F-ABC0-18C0420C8541@akamai.com> <CAHbrMsDGq0usDiqr0HtbFCR4Y8swtyv_0i7UOFf=C_ExW+0FNQ@mail.gmail.com> <303AD4A1-A9BE-4C31-B730-7B4D42587206@akamai.com> <CAHbrMsCj8OToEhjo7O0YkW4WGosGK7stBYTneYHUoX_KckY7Uw@mail.gmail.com> <80539395-F1F6-4BA1-8AFF-667DDF7604B1@icann.org> <CAHbrMsAC3Mb+e18Gv361XnCU3kBOWqCbUXPujuuqOULh4e-v=g@mail.gmail.com> <CAKW6Ri4Yi2v+owa7KABATBoRmEB9u0k_hxd235iDL0ngbGhuLA@mail.gmail.com> <B0F5B473-9A40-447D-9555-F549F54CE0B5@isc.org> <CAHbrMsDNUKzYC__R1z6yzt_9xxyp4Eov1FekumT9sDpFkmPVPw@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/deZwsVVtWiWfmcJIQHGOT2qXceE>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 May 2021 02:07:33 -0000

Again this is tail wagging the dog.  It should all be about ease of data entry.
Adding another backslash escape with meaning should be trivial.  It was in BIND.
It was no harder than handling \. in a DNS label.  Instead we have complicated data
entry.

Making it easy for millions of people entering data vs a handful of people writing
parsers.

B.T.W. port=“\055\053” is illegal and I suspect that some of the parsers requiring the
double quoting don’t detect that.  See the various "SvcParamValue MUST NOT contain escape
sequences”. 

Mark

> On 4 May 2021, at 03:23, Ben Schwartz <bemasc@google.com> wrote:
> 
> The purpose of this two-layer escaping is to allow key-independent tokenizing of SvcParam values.  For example, I just wrote an implementation of the parser that works as follows:
> 
> 1. Tokenize
>   a. Scan forward looking for whitespace or "=".  This is the key name. 
>   b. If "=" was found, run the standard char-string parser.  Its output is the SvcParam presentation value.
> 2. Create a SvcParam representing (key name, value).
>   a. Choose a value parser based on the key name.
>     - Parsers that use the "value-list" pattern call a subroutine with a tiny chunk of escaping logic for handling backslash and comma.
>   b. Run the parser on the value.
> 
> If we use single-layer escaping, this arrangement is not possible.  Instead,
> (1) we would need to add complexity to the char-string parser that is shared by many RR types.
> (2) we would need to integrate key-type-specific behavior into the tokenizer, complicating the interface between the parsing function and the SvcParams implementation.
> 
> In the draft's arrangement, those implementation choices are allowed, but not required.
> 
> For the administrators, this all seems likely to remain irrelevant.  There is no known use case where escaping is or will be used in a value-list element.  The functionality is defined only to preserve ALPN as 8-bit-clean, as requested by some TLS experts, but there will likely never be a defined ALPN that contains these characters.
> 
> On Sun, May 2, 2021 at 5:27 PM Mark Andrews <marka@isc.org> wrote:
> I agree with you Dick, but some developers complained that they "couldn’t
> re-use their string parsers" (despite no existing parser supporting key=“value”)
> so now we have to double escape backslashes.  I very much feel that this is tail
> wagging the dog.
> 
> > On 3 May 2021, at 01:25, Dick Franks <rwfranks@gmail.com> wrote:
> > 
> > All,
> > 
> > I have considerable difficulty with these test vectors at the end of
> > Appendix D.2:
> > 
> >        16 foo.example.org. alpn="f\\\\oo\\,bar,h2"
> >        16 foo.example.org. alpn=f\\\092oo\092,bar,h2
> > 
> >        \# 35 (
> >        00 10                                              ; priority
> >        03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
> >        00 01                                              ; key 1
> >        00 0c                                              ; param length 12
> >        08                                                 ; alpn length 8
> >        66 5c 6f 6f 2c 62 61 72                            ; alpn value
> >        02                                                 ; alpn length 2
> >        68 32                                              ; alpn value
> >        )
> > 
> > which appear to be incompatible with RFC1035 5.1 paragraph 10:
> > 
> >        Because these files are text files several special encodings are
> >        necessary to allow arbitrary data to be loaded.  In particular:
> > 
> >        ...
> > 
> >        \X          where X is any character other than a digit (0-9), is
> >                    used to quote that character so that its special meaning
> >                    does not apply.  For example, "\." can be used to place
> >                    a dot character in a label.
> > 
> >        \DDD        where each D is a digit is the octet corresponding to
> >                    the decimal number described by DDD.  The resulting
> >                    octet is assumed to be text and is not checked for
> >                    special meaning.
> > 
> > The intention appears to be to include (a) a single arbitrary octet in
> > the argument, and (b) a plain text comma not being a delimiter in the
> > argument list. The specimen result is consistent with that assumption.
> > 
> > Armed with the weapons supplied by RFC1035, the obvious way to
> > represent such an argument is:   alpn="f\092oo\,bar,h2"
> > 
> > 
> > A parser adhering strictly to RFC1035 zone file escape conventions:
> > 
> >        #!/usr/bin/perl
> >        use Net::DNS 1.31;
> >        use Net::DNS::ZoneFile;
> > 
> >        my $zonefile = new Net::DNS::ZoneFile(\*DATA);
> >        while ( my $rr = $zonefile->read ) {
> >            $rr->print;
> >        }
> >        exit;
> > 
> >        __DATA__
> >        rfc1035-compliant.example.  SVCB    16 foo.example.org.
> > alpn="f\092oo\,bar,h2"
> > 
> > produces the desired wire-format image:
> > 
> >        rfc1035-compliant.example.  IN      SVCB    ( \# 35 0010    ; 16
> >                03666f6f076578616d706c65036f7267 00         ; foo.example.org.
> >                0001 000c 08665c6f6f2c626172026832 )
> > 
> > Other parsers are available.
> > 
> > 
> > The test vectors, as written, appear to rely upon somehow reactivating
> > the special meaning of the escape character which is explicitly
> > disallowed by RFC1035.
> > 
> > The result in each case is:
> > 
> >        non-compliant.example.      IN      SVCB    ( \# 37 0010    ; 16
> >                03666f6f076578616d706c65036f7267 00         ; foo.example.org.
> >                0001 000e 06665c5c6f6f5c03626172026832 )
> > 
> > the escaped escape characters being inserted as uninterpreted text per RFC1035.
> > 
> > 
> > Dick Franks
> > ________________________
> > 
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org