IETF Logo Mail Archive

Re: [DNSOP] Fwd: HTTPSSVC record draft

Brian Dickson <brian.peter.dickson@gmail.com> Mon, 08 July 2019 22:40 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F40461202E9 for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2019 15:40:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level:
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ZkNDGygpHYD for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2019 15:40:06 -0700 (PDT)
Received: from mail-vs1-xe2d.google.com (mail-vs1-xe2d.google.com [IPv6:2607:f8b0:4864:20::e2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9902A12034A for <dnsop@ietf.org>; Mon, 8 Jul 2019 15:40:06 -0700 (PDT)
Received: by mail-vs1-xe2d.google.com with SMTP id k9so9338348vso.5 for <dnsop@ietf.org>; Mon, 08 Jul 2019 15:40:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=D5n8oEWgabAu8njCw9A/c9LrvyYHbdZPMfxtMaDs0uQ=; b=r+iFZ8rInpNGDdEoiQ9IB9OdnaGkVOw+u9mWrCvGGOBcMghgAOhJxc5ybIVIMYhU7c sstiJxRqKPrxgHkbOPByHcBljPK3bgUSSZas8s9nU3fd3qtNcGQKNHlAXBW+h+XwiKF6 5i3VDLrBlBBLB6GLjRjy+Wqd0fW+jAy/Xl6bq/tvO7Jie61mUZ0HiGuefqmDHkjk64xZ PyOXl5L68x9+j7DFGJk+cx7zBoL8Bx6+FpSfFsHOk2W/fUa1GEsHPyC0+6cLbJTeMcG4 Z3Il6gF07YZ6fQoKsi4v3FsszdIoAs85BfZszqHBqCPda2T84su3hKvvkJKYs+tQxAmG gamw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=D5n8oEWgabAu8njCw9A/c9LrvyYHbdZPMfxtMaDs0uQ=; b=LnAdWVJLYI97JQpa1sB5QurVyMNrZmisvj6w8VOak7Uzb3VjevuZDbPOdPu72AAWhf gn3lBmn3X28bZYp4guVt9g8WHmtSCsADpvqb10MtAJO+7lzOMds/q1xr/O0v9GHSKZet BrYKwYtp4wxfErr4uwE50KD5xjUReRtqonly304YEKAqppnj2sntBTft+kL2G6clN/e2 Y40oFhTQKazHgBvuzgvHoqm17g0BBEvu/Kvk9lUXJLn6wsqKH2ZNkdGzydcoWqlFBobD YLb34CPK/tOR4JkzLg+U8oFaScr9aMi8b3mzU1QsORtWyWblbGLFFLQOxg1sDpylGdA4 ah1g==
X-Gm-Message-State: APjAAAWeu+F17vj5JG9vrizURX+ON7VGytm19YAxr1WYSGwTqYMtUsJa lqO2Ki/lIMUO/SBMjS64TrsGZGQUobWAL5UQkLvXC/xe
X-Google-Smtp-Source: APXvYqxIjd7Tmr0bj1H9ap4G6arxiyM8onGwl7viE6UMxoGev8WfCY/bgwfpHbBfKGGbE+c+Tk4w07c+889R9ZrxQQ8=
X-Received: by 2002:a67:edcf:: with SMTP id e15mr8855042vsp.75.1562625605566; Mon, 08 Jul 2019 15:40:05 -0700 (PDT)
MIME-Version: 1.0
References: <CAKC-DJikByP+wX-GoD6ntpUWTbr6ioJzB4i8nGQL4NtPWePL3g@mail.gmail.com> <ae353a56-efe5-ce5d-1786-465fc0195071@bellis.me.uk> <CAKC-DJhaZoC2eNH8kP80Dfe-CnsOnRg6A6XDD7pWhwYdx8x7tA@mail.gmail.com>
In-Reply-To: <CAKC-DJhaZoC2eNH8kP80Dfe-CnsOnRg6A6XDD7pWhwYdx8x7tA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 08 Jul 2019 15:39:54 -0700
Message-ID: <CAH1iCiprPWEV2Ts3XOa3-mZRR_Y9zkQMMQRDLUsnxDp3rC0Qmw@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
Cc: Ray Bellis <ray@bellis.me.uk>, IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000023050b058d332086"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kJ4X1lendpe9rK9uLC0zUudmz7A>
Subject: Re: [DNSOP] Fwd: HTTPSSVC record draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 22:40:17 -0000

Hi, Erik,

One minor issue is that wherever CNAME is referenced, you probably want to
also include a reference to DNAME, including any implied or explicit
chaining of CNAMEs (which could be sequences of CNAME and/or DNAME modulo
their respective behavior.)

It might be a little clearer if the list of alt-svc values (h2, h3, etc)
that can occur were to be listed in the document. In particular, the
association between h3 and QUIC is inferred but not explicitly called out
(at least not that I noticed.)

You might also want to explain the motivation for keeping the FQDN separate
from the alt-svc parameters (to make it trivial to parse, and thus to do
DNS substitutions like CNAME/DNAME). It is there, just not as up-front as
it could be.

Otherwise, I think many of us would very much love to see this implemented,
as much of ANAME is fundamentally incapable of meeting the intended goals,
which this does very nicely.

Brian

On Mon, Jul 8, 2019 at 2:20 PM Erik Nygren <erik+ietf@nygren.org> wrote:

> Ray, thanks for introducing this to dnsop!
> I've published a -03 with some of the feedback received so far:
>      https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-03
>
> For DNSOP folks, and ANAME proponents in-particular,
> I/we are especially interested in understanding if this would address
> enough of the customer use-cases driving ANAME were major
> browsers to implement support for HTTPSSVC, or would any
> limitations here cause problems there?
>
> I think the ideal would be for this to simultaneously solve
> enough of the ANAME use-cases (to ideally obviate the need for ANAME)
> and to also solve the other problems that clients are interested in solving
> (ESNI via DNS, H/3 via DNS, etc) to get this broadly deployed at least
> for the "web browser" use-case.
>
> Most significant changes from -01 to -03 based on feedback:
>       *  Remove the redundant length fields from the wire format.
>       *  Define a SvcDomainName of "." for SvcRecordType=1 as being the
>          HTTPSSVC RRNAME.
>       * Switch from 302 to 307 redirect for HSTS equivalent.
> but there also some added examples and other clarifications based on
> feedback received.
>
> While this is still an individual draft, we have been tracking it here:
>     https://github.com/MikeBishop/dns-alt-svc
> but as always, commentary on the IETF lists is generally preferable.
>
>    Erik
>
>
>
>
> On Mon, Jul 8, 2019 at 5:01 AM Ray Bellis <ray@bellis.me.uk> wrote:
>
>> For those not paying attention to the HTTP-bis working group, this DNS
>> RR was proposed there last week.
>>
>> It appears to subsume the ALT-SVC proposal and also covers the use case
>> I had in mind with my HTTP Record draft (i.e. CNAME at the apex).
>>
>> Given that it has someone from at least major browser vendor supporting
>> it there's some hope that this will actually be implemented by them.  It
>> therefore seems my draft is probably no longer required.  Hopefully
>> ANAME will follow it the same way ;-)
>>
>> Ray
>>
>> -------- Forwarded Message --------
>> Subject:        HTTPSSVC record draft
>> Resent-Date:    Wed, 03 Jul 2019 18:46:25 +0000
>> Resent-From:    ietf-http-wg@w3.org
>> Date:   Wed, 3 Jul 2019 14:45:47 -0400
>> From:   Erik Nygren <erik+ietf@nygren.org>
>> To:     ietf-http-wg@w3.org Group <ietf-http-wg@w3.org>, Mike Bishop
>> <mbishop@evequefou.be>, Erik Nygren <erik+ietf@nygren.org>, Benjamin
>> Schwartz <bemasc@google.com>, Erik Nygren - Work <nygren@akamai.com>
>>
>>
>>
>>
>> Ben, Mike, and I have submitted the first version of a proposal for an
>> "HTTPSSVC" DNS record.
>>
>> TL;DR:  This attempts to address a number of problems (ESNI, QUIC
>> bootstrapping, HTTP-to-HTTPS redirection via DNS, SRV-equivalent for
>> HTTP, etc) in a holistic manner through a new extensible DNS record,
>> rather than in a piecemeal fashion.  It is based on some previous
>> proposals such as "Alt-Svc in the DNS" and "Service Bindings" but takes
>> into account feedback received in DNSOP and elsewhere.
>>
>> Feedback is most welcome and we're looking forward to discussing with
>> people in Montreal.
>>
>> Draft link:
>>
>> https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-01
>>
>>
>>
>>   From the abstract:
>>
>> This document specifies an "HTTPSSVC" DNS resource record type to
>> facilitate the lookup of information needed to make connections for
>> HTTPS URIs.  The HTTPSSVC DNS RR mechanism allows an HTTPS origin
>> hostname to be served from multiple network services, each with
>> associated parameters (such as transport protocol and keying material
>> for encrypting TLS SNI).  It also provides a solution for the inability
>> of the DNS to allow a CNAME to be placed at the apex of a domain name.
>> Finally, it provides a way to indicate that the origin supports HTTPS
>> without having to resort to redirects, allowing clients to remove HTTP
>> from the bootstrapping process.
>>
>> By allowing this information to be bootstrapped in the DNS, it allows
>> for clients to learn of alternative services before their first contact
>> with the origin.  This arrangement offers potential benefits to both
>> performance and privacy.
>>
>> This proposal is inspired by and based on recent DNS usage proposals
>> such as ALTSVC, ANAME, and ESNIKEYS (as well as long standing desires to
>> have SRV or a functional equivalent implemented for HTTP).  These
>> proposals each provide an important function but are potentially
>> incompatible with each other, such as when an origin is load-balanced
>> across multiple hosting providers (multi-CDN). Furthermore, these each
>> add potential cases for adding additional record lookups in-addition to
>> AAAA/A lookups.  This design attempts to provide a unified framework
>> that encompasses the key functionality of these proposals, as well as
>> providing some extensibility for addressing similar future challenges.
>>
>> --
>>
>> Some likely FAQs (with some others listed in an appendix):
>>
>> Q: Why this is HTTP-specific?
>> A: This is because every protocol has different bootstrap requirements.
>> This draft is concerned with improving the efficiency and security of
>> bootstrapping HTTPS connections.  This proposal does offer room for
>> non-HTTPS protocols, but the nature of DNS requires underscore prefixing
>> to support protocol-keyed answers within a single RRTYPE. It's also
>> unlikely that a single RR format would be the ideal bootstrap mechanism
>> for every protocol, and there's no reason that multiple protocols should
>> have to share an RRTYPE.
>> Q: Why is ESNI addressed directly?
>> A: This helps make a major motivation of this draft more clear.
>> Splitting out those sections to a separate-but-associated "alt-svc
>> attribute for ESNI keys" draft might make sense, but keeping it here
>> helps work through some of the issues together.
>>
>> Q: Why does this try to address the HSTS case?
>> A: This is a unique opportunity to fix HTTPS bootstrap and avoid
>> providing insecure defaults.  We'd originally proposed a separate
>> Alt-Svc attribute to indicate hsts-style behavior, but then realized
>> that it would make sense to push on that as the default here.
>>
>> Best, Erik
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email