IETF Logo Mail Archive

Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt

Tommy Pauly <tpauly@apple.com> Wed, 19 May 2021 14:49 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAF323A12E7 for <dnsop@ietfa.amsl.com>; Wed, 19 May 2021 07:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.795
X-Spam-Level:
X-Spam-Status: No, score=-2.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KZXK2HxBCWi0 for <dnsop@ietfa.amsl.com>; Wed, 19 May 2021 07:49:48 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABAA73A12E2 for <dnsop@ietf.org>; Wed, 19 May 2021 07:49:48 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.42/8.16.0.42) with SMTP id 14JEgef3055196; Wed, 19 May 2021 07:49:44 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=7lao14ncOxKZfc3MN2RV/MKjc8Fmp9ODD4G00dufwcI=; b=kmxdPaBnSbTshVUlaxfE2pkqLSIvu4z8t4ypnfWHs7ZEZwAM8DpuM/UxgPeApW82jqxh 53wOKlCz0ETtn3h6FD+Q/2fwswnZFQ7Cxds4ivXJg03415anp5rldrJheVDqQ2lnjS8n i7shdeJ6PQNAoFArvo+iGWvSEhNyg4DZvSljLGJuUoDQzG1dpHrA0gSA6yM62jg+JC9j jLMStoTf3ze4sHSfzvp26D5jtFXjotC85r1ttdA7Ag05B/RpnfNSJPVk5IhH3iN30JJ1 bHVhzJun7fmgDMMsBM4getAR1cKBhb/zJ4ZZFuV7GyxOGUg8pCjnPw2LtnrjzpY0zbad +Q==
Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 38jx329h9q-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 19 May 2021 07:49:44 -0700
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPS id <0QTC00FC3ZUVQ070@rn-mailsvcp-mta-lapp02.rno.apple.com>; Wed, 19 May 2021 07:49:43 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) id <0QTC01000ZMC4900@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Wed, 19 May 2021 07:49:43 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 9415bd7e7054339cb3a35eabecc4ab39
X-Va-E-CD: 15cf04f9eac2eb842091974d83fbd438
X-Va-R-CD: d937fe06e0025caedf842e3d09b5492f
X-Va-CD: 0
X-Va-ID: f704c44b-6915-4dd7-a7b5-3bf4ecb18573
X-V-A:
X-V-T-CD: 9415bd7e7054339cb3a35eabecc4ab39
X-V-E-CD: 15cf04f9eac2eb842091974d83fbd438
X-V-R-CD: d937fe06e0025caedf842e3d09b5492f
X-V-CD: 0
X-V-ID: f9493183-8540-425f-aebd-d10ef36b2c1c
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-05-19_07:2021-05-19, 2021-05-19 signatures=0
Received: from smtpclient.apple (unknown [17.11.83.134]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPSA id <0QTC00SDEZUVTB00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Wed, 19 May 2021 07:49:43 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <C3734365-D5F7-4F9A-A463-5EFBB841A583@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_A0E8572E-C9C4-49F3-B8F7-E6844EDA563C"
MIME-version: 1.0 (Mac OS X Mail 14.0 \(3654.80.0.2.6\))
Date: Wed, 19 May 2021 07:49:42 -0700
In-reply-to: <CAKC-DJj3nPAZp=qpwjBJ_3yG_EO-q-bcJbaizUNw9uq6deVZjg@mail.gmail.com>
Cc: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, John Levine <johnl@taugh.com>, Brian Dickson <brian.peter.dickson@gmail.com>, Eric Orth <ericorth=40google.com@dmarc.ietf.org>, Joe Abley <jabley@hopcount.ca>
To: Erik Nygren <erik+ietf@nygren.org>, dnsop <dnsop@ietf.org>
References: <7ADF1FB2-97A4-4C49-8F25-8BF03BE01640@hopcount.ca> <20210512213903.D5F1F7AA827@ary.qy> <CAMOjQcFJjcsvaREF0fr+2GTY4zTy5CxSxR16BEp=Nc-K9WJ0Tg@mail.gmail.com> <CAH1iCipAVKVCuH2ME=+YpeJyijrKCtzJaU3bRFyy1f48EB33iw@mail.gmail.com> <CAHbrMsCjWgV7nc575L_qdvr7HdoEVKqkXRwLdXA2L5NiCgdvwA@mail.gmail.com> <CAH1iCipW_-BSMQZ-S+m18pyzfxTGsCrmG9Pc-b35_VRiLhxh4w@mail.gmail.com> <CAHbrMsDvEkYAxee4xjW5LsQmr0PgBf+UmMAuME-_UvRMg4jJeA@mail.gmail.com> <CAH1iCiq4zJZBv5=f7T2EDRWKa7bAZx66SMKkf+AiDsDPTZokhQ@mail.gmail.com> <CAHbrMsAW_wtKmRDYKZVUrFLZYuM_DqoS-8VRMf-O0Z8WpPBfbg@mail.gmail.com> <CAKC-DJj3nPAZp=qpwjBJ_3yG_EO-q-bcJbaizUNw9uq6deVZjg@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.80.0.2.6)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-05-19_07:2021-05-19, 2021-05-19 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fxzx3K89zVSWnFbNaG_xOIAARzs>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 14:49:53 -0000

I wanted to chime in on this discussion as a client-side implementor who has already widely deployed support for SVCB/HTTPS.

The current format, where the parameters are structured as a list within a single RR, is certainly simpler and less error prone for processing. Much of the information contained as parameters within the SVCB RR are useful for higher-level “application” logic. Within our deployment, the DNS stub resolver daemon receives the RR and does the parsing, and passes up the parameters bundle as a blob that is more or less opaque, to the layer that handles actual connection processing (doing happy eyeballs, protocol selection).

Processing the content of SVCB parameters must be handled atomically: the ALPN, ECH config, and any other information must be handled clearly as a unit and not have any chance of being broken up. Lots of code is already based on processing RRs as chunks of data, and requiring anyone looking at the information to stitch the parameter list back together based on multiple RRs that must be in a particular order adds complexity and invites in bugs and errors.

I’d strongly encourage sticking with the wire image we’ve already been using and deploying. I like Erik’s suggestion that we solve the issues with parsing by putting more rules and constraints of the set of available characters, etc. 

Best,
Tommy

> On May 17, 2021, at 2:58 PM, Erik Nygren <erik+ietf@nygren.org> wrote:
> 
> 
> On Mon, May 17, 2021 at 5:36 PM Ben Schwartz <bemasc=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>> wrote:
> 
> 
> On Sat, May 15, 2021 at 12:48 PM Brian Dickson <brian.peter.dickson@gmail.com <mailto:brian.peter.dickson@gmail.com>> wrote:
> 
> 
> On Thu, May 13, 2021 at 10:25 AM Ben Schwartz <bemasc@google.com <mailto:bemasc@google.com>> wrote:
> 
> 
> On Thu, May 13, 2021 at 12:51 AM Brian Dickson <brian.peter.dickson@gmail.com <mailto:brian.peter.dickson@gmail.com>> wrote:
> 
> 
> On Wed, May 12, 2021 at 9:33 PM Ben Schwartz <bemasc@google.com <mailto:bemasc@google.com>> wrote:
> ... 
> Breaking the binding into pieces creates many new opportunities for error, such as having multiple TargetNames in a single binding.  It corresponds to a multimap datastructure instead of a standard map.  Every attribute of each binding would naturally be an unordered collection, which is a bad fit for attributes that are required to be singular, or an ordered list, or anything other than a set.
> ... 
> So, taking your observations about TargetName into account, and borrowing from the overloading of Priority to signal AliasMode, here's an alternative that I think addresses most of the concerns.
> Priority {AliasTarget | ServiceTarget | KeyName} {ServiceBindingPriorityValue | Value}
> where
> Priority == 0 => AliasMode
> Priority >0, <128 => ServiceMode
> Priority > 128 => ServiceBinding key-value record 
> 
> The same example would be encoded (again with only RDATA values):
> 1 target "h3pool" 128
> 128 alpn "h2,h3"
> 128 ech "123..."
> 2 target "." 129
> 129 alpn "h2"
> 129 ech "abc..." 
> 
> I find this format, with multiple lines and multiple integers per binding, much more difficult to read or write than the current draft, especially since the elements of each binding can potentially be spread across a zone file (perhaps by accident) in arbitrary order.
> 
> 
> I concur with Ben here.  Thank you for spelling out and proposing this alternative, but this seems much less usable
> and understandable by a typical user, either for zone publication or for reading diagnostic output from tools 
> like "dig" or for talking about in other drafts specifying SVCB.  
> 
> Side-note: some precursors to SVCB and earlier discussions in the working group
> proposed using a standardized format such as CBOR for encoding the SvcParams but
> that approach was discarded as bringing in a bunch of its own baggage and being too
> different from typical DNS usage.
> 
> An approach HTTP took was to define "Structured Field Values for HTTP" (rfc8941)
> which may be more complexity than is needed here, but perhaps there
> is a similar approach that could work for SVCB of defining explicit types
> for SvcParamValues?
> 
> Another approach could be seeing if there was a way to require
> everything to use a limited character set and require escaping
> for things outside of these constraints.  For example, alpn values
> with a limited set of token characters would be allowed as strings,
> but anything else would need escaping.  Would require base64 encoding
> of SvcParamValues wanting characters outside of "non-special" 
> be easier to parse, perhaps with a prefix to indicate that a string is base64 type?
> Are there other similar things that would keep the format similar to the existing
> format but reduce the number of parser special-cases needed?
> 
>      Erik
> 
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email