IETF Logo Mail Archive

Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS

"Wellington, Brian" <bwelling@akamai.com> Thu, 23 July 2020 00:46 UTC

Return-Path: <bwelling@akamai.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 633D23A0992 for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 17:46:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O1pA7gt4d8qP for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 17:46:51 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7E433A0A96 for <dnsop@ietf.org>; Wed, 22 Jul 2020 17:46:51 -0700 (PDT)
Received: from pps.filterd (m0122333.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06N0glEg010312; Thu, 23 Jul 2020 01:46:46 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=mglUczu6tWguqSupaOkYRvuU9WTImpJTrnp3BOdM1OY=; b=oA7YJ/BRCg9iFt5ZS42QQG/L0+uTtymnDaCqO1y/+Jzjckgxsosk2PdhqXPRk6R/Sux4 0SYXrXRxX1Ncbd0ae2OBGLpkORALbfQ4wDoTwHjoYkX4ahAK5FmICs2ZcIs1EgIMyrlG IBXu0wv1m8Kqe4MrlZHuZMXINLmph5FDlAyUo1UHAoRiO9zVtQ2kH2mKIUs/1zSq+Am2 GS7F1Svn1URfQ7Pn6Co5BSaUgFS7HM+Ez0lRJrS4dm/Q3yy9r0G1lsITBt+rjA5SGUbp saGtyH0NwY6LY/RjhIRrD6tjgCMeEMn/x2uBg2ob+4EZfWmIKCC0h1HIOofnKpZeBwDq cQ==
Received: from prod-mail-ppoint7 (a72-247-45-33.deploy.static.akamaitechnologies.com [72.247.45.33] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 32bs91du21-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 23 Jul 2020 01:46:46 +0100
Received: from pps.filterd (prod-mail-ppoint7.akamai.com [127.0.0.1]) by prod-mail-ppoint7.akamai.com (8.16.0.42/8.16.0.42) with SMTP id 06N0KVX1031351; Wed, 22 Jul 2020 20:46:45 -0400
Received: from email.msg.corp.akamai.com ([172.27.165.116]) by prod-mail-ppoint7.akamai.com with ESMTP id 32dk964aaw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 22 Jul 2020 20:46:45 -0400
Received: from USTX2EX-DAG3MB4.msg.corp.akamai.com (172.27.165.128) by ustx2ex-dag3mb5.msg.corp.akamai.com (172.27.165.129) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 22 Jul 2020 20:46:45 -0400
Received: from USTX2EX-DAG3MB4.msg.corp.akamai.com ([172.27.165.128]) by USTX2EX-DAG3MB4.msg.corp.akamai.com ([172.27.165.128]) with mapi id 15.00.1497.006; Wed, 22 Jul 2020 17:46:45 -0700
From: "Wellington, Brian" <bwelling@akamai.com>
To: Alessandro Ghedini <alessandro@ghedini.me>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] HTTPS/SVCB on Cloudflare DNS
Thread-Index: AQHWW4PWcUUw0WiB6UOTHRJ1hpuRRakU08oA
Date: Thu, 23 Jul 2020 00:46:44 +0000
Message-ID: <9975DA88-525A-4FC3-9517-70E128A4776D@akamai.com>
References: <20200716151356.GA60024@wakko.flat11.house>
In-Reply-To: <20200716151356.GA60024@wakko.flat11.house>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.116.61]
Content-Type: text/plain; charset="utf-8"
Content-ID: <4DE4563004CADB4B846A9E90AF146B1C@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-22_16:2020-07-22, 2020-07-22 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 suspectscore=0 spamscore=0 mlxlogscore=999 phishscore=0 bulkscore=0 adultscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007230000
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-22_16:2020-07-22, 2020-07-22 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 mlxscore=0 mlxlogscore=999 impostorscore=0 spamscore=0 bulkscore=0 lowpriorityscore=0 clxscore=1011 malwarescore=0 priorityscore=1501 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007230002
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lf4-VtLSJiSGr1tfl8OBOgDUo9E>
Subject: Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 00:46:53 -0000

I attempted to start implementing support for SVCB and HTTPS, and discovered that the data being served by Cloudflare does not conform to the current spec.

Assuming my decoder is correct, the response below decodes to:

1 . alpn=h3-29,h3-28,h3-27,h2 echconfig=aBIaLmgSGy4= ipv6hint=2606:4700::6812:1a2e,2606:4700::6812:1b2e

and does not include a “mandatory” parameter.  But section 6.5 of draft-ietf-dnsop-svcb-https, which is talking about the “mandatory” key, says:

	This SvcParamKey is always automatically mandatory,

which implies that there MUST be a “mandatory” parameter.  Is this an oversight in the Cloudflare implementation, or is the Cloudflare implementation not implementing the current version?

Thanks,
Brian

> On Jul 16, 2020, at 8:13 AM, Alessandro Ghedini <alessandro@ghedini.me> wrote:
> 
> Hello,
> 
> Just a quick note that we have started serving "HTTPS" DNS records from
> Cloudflare's authoritative DNS servers. Our main use-case right now is
> advertising HTTP/3 support for those customers that enabled that feature (in
> addition to using Alt-Svc HTTP headers).
> 
> If anyone is interested in trying this out you can query pretty much all domains
> served by Cloudflare DNS for which we terminate HTTP.
> 
> For example:
> 
>   % dig blog.cloudflare.com type65
> 
>  ; <<>> DiG 9.16.4-Debian <<>> blog.cloudflare.com type65
>  ;; global options: +cmd
>  ;; Got answer:
>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17291
>  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
>  ;; OPT PSEUDOSECTION:
>  ; EDNS: version: 0, flags:; udp: 4096
>  ;; QUESTION SECTION:
>  ;blog.cloudflare.com.		IN	TYPE65
> 
>  ;; ANSWER SECTION:
>  blog.cloudflare.com.	300	IN	TYPE65	\# 76 000100000100150568332D32390568332D32380568332D3237026832 0004000868121A2E68121B2E00060020260647000000000000000000 68121A2E26064700000000000000000068121B2E
> 
> Cheers
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=Ei0lUqjTt2OhRnRqJeO1XDCHQqnH1FdINDMcPEhCC1g&s=WQn55KFIZ5LGfsj-QGNSS31WGhpI-GuXpJEmhibwNuo&e=

v2.23.0 | Report a Bug | By Email