Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt

Ben Schwartz <bemasc@google.com> Mon, 03 May 2021 17:23 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91CE93A1D30 for <dnsop@ietfa.amsl.com>; Mon, 3 May 2021 10:23:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ct5c68O9ByCv for <dnsop@ietfa.amsl.com>; Mon, 3 May 2021 10:23:16 -0700 (PDT)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 713943A1D33 for <dnsop@ietf.org>; Mon, 3 May 2021 10:23:16 -0700 (PDT)
Received: by mail-wm1-x330.google.com with SMTP id n84so3802530wma.0 for <dnsop@ietf.org>; Mon, 03 May 2021 10:23:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aArCJY0VyHYtCH/NaTvK+Y9ZPb3eRgExienaW6AgsJA=; b=hqleSs7ZTbbE/RTVSYwGhWKYb3ZzWr3ayrqUeFMqmh8St9O0zapaQRTEEmleJr2tnF /mEw21jjHnQNx9EqRQGiEFPsqiWEOHxP0lARoN54loX7JknFs/cakwUE1O0IjTq8wS5x Ho0oP8vqL77gxFbkqovd228GZs9gyBxzsT3Cbg5XFcyWOLTh8+OKynghoG02pzT6+I6Q m2b7K6whx5ioYMfHTzt6B+cvlVXdVreW09wzzaJfbFTihuoDcWUacqhP+7SwErYRJJ4K gkFyymPUZZkLrmJ9jRD/nR51pjhySgTu1xaRTN0VCOuEeYzXaByWnkj9lxIYGa8fAb1X dBQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aArCJY0VyHYtCH/NaTvK+Y9ZPb3eRgExienaW6AgsJA=; b=kqc1M1+doB9CPkzwLRWTR24n1k3C3458xXjfdKfi0jlLqvHvFNDq2JZVp2XTytmyte IL5gK2XA2QS9UvZBjENpjVgNdI46kclTWdBjEtyQVQ+MrjqO7byrDLSGom7to2T+zIK6 RiTytM2rHAUE3ijcqr6Ywx0SKsfMik+sCV0bBrJnjKIXhPH34tSMqGcYle2RfDKsXoay PqWd63obHjW9QZ0h0wbxcJUpEB81sIFhaYYPmZJ/Pn8/aCCcujyvHPREwZSVj0STFJE+ Cme6/K96q8moBUCPFEKjWyQNdsu2KX14DIPXEIC7qvlESRLveohFvuqBijAOHAI2ywzy Z/Jw==
X-Gm-Message-State: AOAM532WcsYBzCu4b1C02UAHe8+FMjK6umqDtqBVGKh7FZChh+qFuxvx P+K8RH3ZwMtO9sTbENvX/OIFl0orrf9PDQ1ZvId7jQ==
X-Google-Smtp-Source: ABdhPJxtrRWTUTKYIY/myuc0YyHhmW7fmtiJ90w/jNR+0PKeiW1eWAxacJM+SzhAJbL+bwiBMnmPxqDQI4+8t25qxQs=
X-Received: by 2002:a05:600c:190b:: with SMTP id j11mr23019045wmq.132.1620062592892; Mon, 03 May 2021 10:23:12 -0700 (PDT)
MIME-Version: 1.0
References: <161901308063.21005.875603362157576926@ietfa.amsl.com> <CAHbrMsA4TMfE+3LAT+un0FF3DGXKsYB1zAtvUwf2YKr97mJ+sQ@mail.gmail.com> <87B615B4-9CA3-4060-93C2-E4B953C11FB2@akamai.com> <CAHbrMsDaqrQ+XDO4z395tC_yOH4MBH8OmoH8zTXWEHfcDC1+Ew@mail.gmail.com> <6245BB4F-4E2F-435F-ABC0-18C0420C8541@akamai.com> <CAHbrMsDGq0usDiqr0HtbFCR4Y8swtyv_0i7UOFf=C_ExW+0FNQ@mail.gmail.com> <303AD4A1-A9BE-4C31-B730-7B4D42587206@akamai.com> <CAHbrMsCj8OToEhjo7O0YkW4WGosGK7stBYTneYHUoX_KckY7Uw@mail.gmail.com> <80539395-F1F6-4BA1-8AFF-667DDF7604B1@icann.org> <CAHbrMsAC3Mb+e18Gv361XnCU3kBOWqCbUXPujuuqOULh4e-v=g@mail.gmail.com> <CAKW6Ri4Yi2v+owa7KABATBoRmEB9u0k_hxd235iDL0ngbGhuLA@mail.gmail.com> <B0F5B473-9A40-447D-9555-F549F54CE0B5@isc.org>
In-Reply-To: <B0F5B473-9A40-447D-9555-F549F54CE0B5@isc.org>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 03 May 2021 10:23:00 -0700
Message-ID: <CAHbrMsDNUKzYC__R1z6yzt_9xxyp4Eov1FekumT9sDpFkmPVPw@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Dick Franks <rwfranks@gmail.com>, dnsop <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@icann.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000062c6cd05c1703737"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/figuGx7liqveVYbGuQxWtfLks6I>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2021 17:23:22 -0000

The purpose of this two-layer escaping is to allow key-independent
tokenizing of SvcParam values.  For example, I just wrote an implementation
of the parser that works as follows:

1. Tokenize
  a. Scan forward looking for whitespace or "=".  This is the key name.
  b. If "=" was found, run the standard char-string parser.  Its output is
the SvcParam presentation value.
2. Create a SvcParam representing (key name, value).
  a. Choose a value parser based on the key name.
    - Parsers that use the "value-list" pattern call a subroutine with a
tiny chunk of escaping logic for handling backslash and comma.
  b. Run the parser on the value.

If we use single-layer escaping, this arrangement is not possible.  Instead,
(1) we would need to add complexity to the char-string parser that is
shared by many RR types.
(2) we would need to integrate key-type-specific behavior into the
tokenizer, complicating the interface between the parsing function and the
SvcParams implementation.

In the draft's arrangement, those implementation choices are allowed, but
not required.

For the administrators, this all seems likely to remain irrelevant.  There
is no known use case where escaping is or will be used in a value-list
element.  The functionality is defined only to preserve ALPN as
8-bit-clean, as requested by some TLS experts, but there will likely never
be a defined ALPN that contains these characters.

On Sun, May 2, 2021 at 5:27 PM Mark Andrews <marka@isc.org> wrote:

> I agree with you Dick, but some developers complained that they "couldn’t
> re-use their string parsers" (despite no existing parser supporting
> key=“value”)
> so now we have to double escape backslashes.  I very much feel that this
> is tail
> wagging the dog.
>
> > On 3 May 2021, at 01:25, Dick Franks <rwfranks@gmail.com> wrote:
> >
> > All,
> >
> > I have considerable difficulty with these test vectors at the end of
> > Appendix D.2:
> >
> >        16 foo.example.org. alpn="f\\\\oo\\,bar,h2"
> >        16 foo.example.org. alpn=f\\\092oo\092,bar,h2
> >
> >        \# 35 (
> >        00 10                                              ; priority
> >        03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
> >        00 01                                              ; key 1
> >        00 0c                                              ; param length
> 12
> >        08                                                 ; alpn length 8
> >        66 5c 6f 6f 2c 62 61 72                            ; alpn value
> >        02                                                 ; alpn length 2
> >        68 32                                              ; alpn value
> >        )
> >
> > which appear to be incompatible with RFC1035 5.1 paragraph 10:
> >
> >        Because these files are text files several special encodings are
> >        necessary to allow arbitrary data to be loaded.  In particular:
> >
> >        ...
> >
> >        \X          where X is any character other than a digit (0-9), is
> >                    used to quote that character so that its special
> meaning
> >                    does not apply.  For example, "\." can be used to
> place
> >                    a dot character in a label.
> >
> >        \DDD        where each D is a digit is the octet corresponding to
> >                    the decimal number described by DDD.  The resulting
> >                    octet is assumed to be text and is not checked for
> >                    special meaning.
> >
> > The intention appears to be to include (a) a single arbitrary octet in
> > the argument, and (b) a plain text comma not being a delimiter in the
> > argument list. The specimen result is consistent with that assumption.
> >
> > Armed with the weapons supplied by RFC1035, the obvious way to
> > represent such an argument is:   alpn="f\092oo\,bar,h2"
> >
> >
> > A parser adhering strictly to RFC1035 zone file escape conventions:
> >
> >        #!/usr/bin/perl
> >        use Net::DNS 1.31;
> >        use Net::DNS::ZoneFile;
> >
> >        my $zonefile = new Net::DNS::ZoneFile(\*DATA);
> >        while ( my $rr = $zonefile->read ) {
> >            $rr->print;
> >        }
> >        exit;
> >
> >        __DATA__
> >        rfc1035-compliant.example.  SVCB    16 foo.example.org.
> > alpn="f\092oo\,bar,h2"
> >
> > produces the desired wire-format image:
> >
> >        rfc1035-compliant.example.  IN      SVCB    ( \# 35 0010    ; 16
> >                03666f6f076578616d706c65036f7267 00         ;
> foo.example.org.
> >                0001 000c 08665c6f6f2c626172026832 )
> >
> > Other parsers are available.
> >
> >
> > The test vectors, as written, appear to rely upon somehow reactivating
> > the special meaning of the escape character which is explicitly
> > disallowed by RFC1035.
> >
> > The result in each case is:
> >
> >        non-compliant.example.      IN      SVCB    ( \# 37 0010    ; 16
> >                03666f6f076578616d706c65036f7267 00         ;
> foo.example.org.
> >                0001 000e 06665c5c6f6f5c03626172026832 )
> >
> > the escaped escape characters being inserted as uninterpreted text per
> RFC1035.
> >
> >
> > Dick Franks
> > ________________________
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 <+61%202%209871%204742>              INTERNET:
> marka@isc.org
>
>