Re: [DNSOP] Questions / concerns with draft-ietf-dnsop-svcb-https (in RFC Editor queue)
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 31 August 2022 17:01 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE0AEC157B37 for <dnsop@ietfa.amsl.com>; Wed, 31 Aug 2022 10:01:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NeU-e2_ig6mM for <dnsop@ietfa.amsl.com>; Wed, 31 Aug 2022 10:01:47 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA1E1C147920 for <dnsop@ietf.org>; Wed, 31 Aug 2022 10:01:46 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 853541042DC; Wed, 31 Aug 2022 13:01:45 -0400 (EDT)
Date: Wed, 31 Aug 2022 13:01:45 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <Yw+T+ULE+8eWNc4Q@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAHw9_iJg7yTECPbPvSNxac21My4SqPjMjhYS4tFRWBzFmjkLjg@mail.gmail.com> <CAH1iCipRjnvs71iiK1aaMKj98P65-NqKSL4+XfmMA_MsU9_JNg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gkZKzaHGWMQWJpzOvX4uA1Oyw_s>
Subject: Re: [DNSOP] Questions / concerns with draft-ietf-dnsop-svcb-https (in RFC Editor queue)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2022 17:01:48 -0000
On Wed, Aug 31, 2022 at 01:39:32AM -0700, Brian Dickson wrote: > Here are some proposed text changes, per Warren's invitation to send text: > > In section 1.2, change: > > 2. TargetName: The domain name of either the alias target (for > AliasMode) or the alternative endpoint (for ServiceMode). > > to: > > 2. TargetName: Either the domain name of the alias target (for > AliasMode) or the host name of the alternative endpoint (for ServiceMode). This looks correct. The alternative target name needs to be a valid hostname. > In section 2.4.2, change: > > As legacy clients will not know to use this record, service operators > will likely need to retain fallback AAAA and A records alongside this > SVCB record, [... unchanged ...] > > to: > > As legacy clients will not know to use this record, service operators > will likely need to retain fallback AAAA and A records at the service name, > [... unchanged ...] This is correct, because in the presence of one or more AliasMode records the ServiceMode record is no longer "alongside" the A/AAAA records. > In section 2.4.3, change: > > In ServiceMode, the TargetName and SvcParams within each resource > record associate an alternative endpoint for the service with its > connection parameters. > > to: > > In ServiceMode, the TargetName and SvcParams within each resource > record associate an alternative endpoint for the service with its > connection parameters. The TargetName MUST be a host name > (as defined in [DNSTerm].) This is basic conformance with RFC 1123 section 2, avoids interoperability issues with proxies, and various software that validates hostnames in applications and DNS resolvers. Otherwise, this document may need to update RFC 1123, relaxing the syntax rules for hostnames. > In section 3, the following changes are proposed; they introduce a new term > LASTNAME to be used to disambiguate the $QNAME reference so as to remove > ATTRLEAF prefixes from the appended target: > > > 1. Let $QNAME be the service name plus appropriate prefixes for the > scheme (see Section 2.3). > > becomes: > > 1. Let $QNAME be the service name plus appropriate prefixes for the > scheme (see Section 2.3). Let $LASTNAME be the service name without > any prefixes. > > > 3. If an AliasMode SVCB record is returned for $QNAME (after > following CNAMEs as normal), set $QNAME to its TargetName > (without additional prefixes) and loop back to step 2, subject > to chain length limits and loop detection heuristics (see > Section 3.1). > > becomes: > > 3. If an AliasMode SVCB record is returned for $QNAME (after > following CNAMEs as normal), set $QNAME to its TargetName > (without additional prefixes), set $LASTNAME to this new $QNAME > and loop back to step 2, subject to chain length limits and > loop detection heuristics (see Section 3.1). > > > Once SVCB resolution has concluded, whether successful or not, SVCB- > optional clients SHALL append to the priority list an endpoint > consisting of the final value of $QNAME, the authority endpoint's > port number, and no SvcParams. (This endpoint will be attempted > before falling back to non-SVCB connection modes. This ensures that > SVCB-optional clients will make use of an AliasMode record whose > TargetName has A and/or AAAA records but no SVCB records.) > > becomes: > > Once SVCB resolution has concluded, whether successful or not, SVCB- > optional clients SHALL append to the priority list an endpoint > consisting of the final value of $LASTNAME, the authority endpoint's > port number, and no SvcParams. (This endpoint will be attempted > before falling back to non-SVCB connection modes. This ensures that > SVCB-optional clients will make use of an AliasMode record whose > TargetName has A and/or AAAA records but no SVCB records.) > This scary-looking long edit is an attempted bug correction. But Ben tells me that the actual intent is to only add $QNAME to the search list if there's a non-zero number of AliasMode records encountered. Otherwise, there is no need to append any $QNAME to the list, since it is the same as the legacy fallback (non-SVCB connection modes below). A simpler fix should be possible. > If the client is SVCB-optional, and connecting using this list of > endpoints has failed, the client now attempts to use non-SVCB > connection modes. > > becomes: > > If the client is SVCB-optional, and connecting using this list of > endpoints has failed, the client MAY attempt to use non-SVCB > connection modes, using the origin name (without prefixes), > > the authority endpoint's port number, and no SvcParams. And then this change likely becomes redundant. > One additional suggested addition to the end of section 3.1 is: > > If DNS responses are cryptographically protected, and at least > one HTTPS AliasMode record has been received successfully, > clients MAY apply Section 9.5 (HSTS equivalent) restrictions > even when reverting to non-SVCB connection modes. Clients > also MAY treat resolution or connection failures subsequent > to the initial cryptographically protected AliasMode record > as fatal. > > [Brian's note: this last would provide some guidance to implementers of > clients: a signed HTTPS AliasMode record is a strong signal that the DNS > operator is discouraging fallback, albeit at a "MAY" level.] This likely indeed falls into the territory of new work. On Wed, Aug 31, 2022 at 06:25:26AM -0700, Warren Kumari wrote: > On Wed, Aug 31, 2022 at 4:39 AM, Brian Dickson <brian.peter.dickson@gmail.com> wrote: > > > Here are some proposed text changes, per Warren's invitation to send text: > > Um, no. Warren said: "can we craft a sentence (or possibly two) which only > clarify what is already written?". This is a significantly larger set of > changes than that. The Section 3 changes in particular are (IMO) much more > than a clarification. > > These may or may not be good changes, but anything approaching that level > of change would have to be in a -bis document… Can we "rescue" just the clarifications/corrections? * Fix the $QNAME issue * Clarify that ServiceMode targets MUST be valid hostnames [ It may be worth noting that also AliasMode targets that are not valid hostnames may not be suitable fallback values to append to the candidate target list, though if one is sure that these will then resolve to a usable ServiceMode record, then the intermediate non-hostname falls out of the picture. In a "-bis" document I'd be inclined to say that the targets of all SVCB/HTTPS records "SHOULD" be hostnames. ] -- Viktor.
- [DNSOP] Questions / concerns with draft-ietf-dnso… Warren Kumari
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] [Ext] Questions / concerns with draft… Warren Kumari
- Re: [DNSOP] Questions / concerns with draft-ietf-… Brian Dickson
- Re: [DNSOP] Questions / concerns with draft-ietf-… Stephen Farrell
- Re: [DNSOP] Questions / concerns with draft-ietf-… Martin Thomson
- Re: [DNSOP] Questions / concerns with draft-ietf-… Stephen Farrell
- Re: [DNSOP] Questions / concerns with draft-ietf-… Viktor Dukhovni
- Re: [DNSOP] Questions / concerns with draft-ietf-… Eric Orth
- Re: [DNSOP] Questions / concerns with draft-ietf-… Viktor Dukhovni
- Re: [DNSOP] Questions / concerns with draft-ietf-… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Eric Orth
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Ben Schwartz
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Ben Schwartz
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Tommy Pauly
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Ben Schwartz
- Re: [DNSOP] [Ext] Questions / concerns with draft… Erik Nygren
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Warren Kumari
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- [DNSOP] HSTS on receiving a signed HTTPS record (… Martin Thomson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Warren Kumari
- Re: [DNSOP] Questions / concerns with draft-ietf-… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] HSTS on receiving a signed HTTPS reco… Eric Orth
- Re: [DNSOP] HSTS on receiving a signed HTTPS reco… Brian Dickson
- Re: [DNSOP] HSTS on receiving a signed HTTPS reco… Eric Orth
- Re: [DNSOP] [Ext] Questions / concerns with draft… Tommy Pauly
- Re: [DNSOP] HSTS on receiving a signed HTTPS reco… Ben Schwartz
- Re: [DNSOP] [Ext] Questions / concerns with draft… Ben Schwartz
- Re: [DNSOP] [Ext] Questions / concerns with draft… Warren Kumari
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Martin Thomson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] [Ext] Questions / concerns with draft… Erik Nygren
- Re: [DNSOP] [Ext] Questions / concerns with draft… Warren Kumari
- Re: [DNSOP] [Ext] Questions / concerns with draft… Erik Nygren
- Re: [DNSOP] [Ext] Questions / concerns with draft… Erik Nygren