Re: [DNSOP] Minimum viable ANAME

Mark Andrews <marka@isc.org> Wed, 07 November 2018 06:36 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FEF6130EFE for <dnsop@ietfa.amsl.com>; Tue, 6 Nov 2018 22:36:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U-598vq8x2f8 for <dnsop@ietfa.amsl.com>; Tue, 6 Nov 2018 22:36:23 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4A70130EFF for <dnsop@ietf.org>; Tue, 6 Nov 2018 22:36:23 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 1AE253AC367; Wed, 7 Nov 2018 06:36:23 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id BB609160050; Wed, 7 Nov 2018 06:36:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 9A775160064; Wed, 7 Nov 2018 06:36:22 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id MyYex6gvcgAy; Wed, 7 Nov 2018 06:36:22 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id E674D160050; Wed, 7 Nov 2018 06:36:20 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAHbrMsAGJrzX5q5yVhn9JWbbgXeL3odNJyNe2HsvVrQcr7RCBw@mail.gmail.com>
Date: Wed, 07 Nov 2018 17:36:18 +1100
Cc: Erik Nygren <erik+ietf@nygren.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Ray Bellis <ray@bellis.me.uk>, "Bishop, Mike" <mbishop@akamai.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <5F92867E-2131-40B7-B4DC-786511E88C0C@isc.org>
References: <201809211811.w8LIBdLA021837@atl4mhob20.registeredsite.com> <fdee6f3f-dd86-b482-5263-eb8e2a21bcb7@bellis.me.uk> <CAKC-DJi=Afer4uKprMf-uaNB07MVY-XJ+etocntY0BbU1bXYrg@mail.gmail.com> <CAHbrMsATrpdgP6PN2DSAjf+Nj7ZMywPu=FiGMzxjvoOm5ab2OA@mail.gmail.com> <F508AFA8-6611-4553-97AA-2A38A7F28691@isc.org> <CAHbrMsDXBJF1ieOx4H-zgCQp7SursR7q_25i99njp6m0McLg3Q@mail.gmail.com> <CFCB645C-ED49-457A-BB16-12987C87EE9F@isc.org> <CAHbrMsAGJrzX5q5yVhn9JWbbgXeL3odNJyNe2HsvVrQcr7RCBw@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mBajhhtHComdX74LJYRmeoc0Fk4>
Subject: Re: [DNSOP] Minimum viable ANAME
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 06:36:32 -0000


> On 7 Nov 2018, at 4:54 pm, Ben Schwartz <bemasc@google.com> wrote:
> 
> 
> 
> On Tue, Nov 6, 2018 at 5:53 PM Mark Andrews <marka@isc.org> wrote:
> 
> 
> > On 7 Nov 2018, at 9:25 am, Ben Schwartz <bemasc@google.com> wrote:
> > 
> > 
> > 
> > On Tue, Nov 6, 2018 at 5:06 PM Mark Andrews <marka@isc.org> wrote:
> > 
> > 
> > > On 6 Nov 2018, at 5:27 am, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
> > > 
> > > On Sat, Nov 3, 2018 at 4:12 PM Erik Nygren <erik+ietf@nygren.org> wrote:
> > > How does draft-schwartz-httpbis-dns-alt-svc-02 with some changes to make it more DNS-aligned (e.g. the name as a separate field in the record) not help here?
> > > 
> > > Thanks for mentioning DNS-Alt-Svc, Erik.
> > > 
> > > Compared to URI or the proposed HTTP record, one thing that's different about DNS-Alt-Svc is that Alt-Svc is always optional, as currently defined, and DNS-Alt-Svc inherits those semantics.  That means servers have to be prepared for some users to ignore the ALTSVC record, so the apex would still need AAAA records.
> > 
> > The publishing or the lookup?
> > 
> > Both.  Most web servers don't make use of Alt-Svc, and browsers are under no obligation to respect it (and indeed many don't).  It's strictly an optimization, and everything still has to work correctly without it.
> 
> HTTP is optional to be published.  For HTTP to a solution to name to server mapping in the DNS it needs to be looked up by clients and ALTSRV would also need to be looked up clients at the time
> A and AAAA records are being looked up.  Say it wouldn't is being disingenuous.  Legacy clients wouldn’t look it up.
> 
> HTTP as proposed isn't useful to site operators until it's deployed in all (their relevant) clients.  HTTP as proposed isn't useful to clients until there are servers that don't work without it.  This is essentially the same deadlock as with SRV, and IMHO it's the main reason we haven't made any progress on this topic.

Well it worked for SMTP. When MX records were introduced A records were the only thing SMTP
servers understood. It took a while but nobody now worries about publishing a MX record without
a A (or AAAA) records as a backup for legacy clients.  I still remember having to worry about publishing A records for legacy SMTP servers that didn’t understand MX records.

> It seems you're proposing that clients should implement this unilaterally now, with the expectation that servers will eventually start to depend on it, N years from now when client support is universal.  I think this is unlikely to happen.  By my estimate, this proposal would ask browser vendors to waste quadrillions of DNS queries over the next few years, waiting for a critical mass that may never arrive, in order to achieve a goal with no apparent benefit to the user.  If Browser A (X% of users) implements this feature, and Browser B (Y > 5% of users) never implements it, then most websites can never rely on it, and Browser A incurs an ongoing cost for no benefit to anyone.

Enough with this critical mass garbage because that is all that it is.  We could have completed
2 or 3 transitions since SRV was introduced in the DNS.

> Perhaps all the browser vendors will get on board, but if history is any guide, most will not, and even one holdout torpedoes the whole project.  (Also, browsers simply _can't_ implement it if they do DNS through POSIX libc, as many browsers traditionally have done.)

So they can’t link with libresolv which has supported unknown types and classes since it was written back when BSD 4.2 was released back in the 1990s?  

#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <resolv.h>

#define T_HTTP <TBD>
unsigned char buf[65536];

n = res_init();
n = res_query(“example.com”, C_IN, T_HTTP, buf, sizeof(buf));

If you don’t want to block use res_mkquery and handle their own socket IO by looking in _res for the name server addresses.

unsigned char qbuf[512]; 
n = res_init();
n = res_mkquery(QUERY, “example.com”, C_IN, T_HTTP, NULL, 0, NULL, qbuf, sizeof(qbuf));


> > > Being optional may seem like a deficiency for this application, but I now think it's actually the best we can do as a first step.  If we start with an optional record type that offers added value (e.g. performance, privacy, or security), then both client vendors and server operators have a reason to invest in deployment.  Once it's widely deployed, then we can imagine simplified architectures that rely on the new record type, starting with servers that don't need to support legacy clients.
> > > 
> > > I think it's reasonable to have a roadmap to a full transformation of the DNS architecture for HTTP, but every step along the roadmap ought to have clear net benefit to each participating party.  This seems to require a design more or less like DNS Alt-Svc, where the additional indirection is coupled to other improvements for HTTP.
> > >  
> > >   It comes from the HTTP world and is aligned with the existing AltSvc feature and thus is useful in other ways (such as perhaps solving the DNS deployabilty issues for encrypted SNI):
> > > 
> > > https://tools.ietf.org/html/draft-schwartz-httpbis-dns-alt-svc-02
> > 
> > 
> > What are the rules for populating the additional section of a response?
> > 
> > The DNS Alt-Svc draft currently doesn't cover this, but I would definitely be interested to hear suggestions.  Since support is optional, the draft focuses on the RFC 3597 opaque record process, but we can certainly consider further optimizations that would be possible in ALTSVC-aware DNS servers.
> >  
> > It looks like nameservers will have to split the rdata up on commas the look for protocol-id=value pair at the start of comma separated field.  Then look for the :port and remove it from value.
> > then look to see if there was a host specified and if so lookup up that name.
> > 
> > Wouldn’t be better to pre-parse the fields in the record?
> > 
> > [<len><id-len><id><host><port>[<name-len><name><value-len><value]*]{1+}
> > 
> > where host is in DNS wire format and . (00) is used for a empty host field in the alt-srv record?
> > 
> > Libraries can reconvert this to textual format if that makes it easier for a browser though
> > you may as well use it in structured format.
> > 
> > I'm fine with minor alterations to the syntax, but I'm not convinced that it's important.  Parsing the contents is optional (per RFC 3597), and writing a parser is trivial (as you've described).
> 
> Given lots of browser people complained that SRV would require two round trips to the recursive server not describing how to populate the additional section would seem to be a non-starter.
> 
> DNS Alt-Svc as specified can be done without blocking the page load critical path, so it doesn't add latency.  However, I agree that we would want an approved way to populate the Additional section before asking browsers to block pageload on an ALTSVC query.
>  
> Having to re-parse the record every time you serve it also seem like a big waste of resources so
> no it really isn’t a minor alteration from the DNS side.
> 
> In the architecture you're describing, each ALTSVC record would only need to be parsed once, when it arrives over the network.  I do not believe that this kind of parsing represents a significant cost: throughput will be network-limited before it is limited by this parsing step.
> 
> > Open-source parsers are widely available (e.g. from open-source browsers).  To avoid ossification, we'd need to have confidence that any deviations from the HTTP Alt-Svc syntax are losslessly interconvertible and future-proof, which is a high bar.
> 
> If you extend the syntax such that a parser to the binary format above breaks request a new type
> and start using it.
> 
> This will not work with DNS Alt-Svc, which is specified as a transparent pass-through for the HTTP Alt-Svc field value.  Even if we relax that requirement, adding new RRTYPEs would create increasing overhead and complexity, requiring clients to issue a query for every revision of the ALTSVC RRTYPE on every connection initiation.
>  
> 
> > > - Erik
> > > 
> > >      
> > > 
> > > On Sun, Sep 23, 2018, 10:41 AM Ray Bellis <ray@bellis.me.uk wrote:
> > > On 21/09/2018 19:11, JW wrote:
> > > 
> > > > I also feel from this discussion, we are all roughly on the same page. 
> > > > We want SRV as the long term solution ...
> > > 
> > > except that we heard at the side meeting in Montreal (albeit from
> > > browser people rather than content people) that they *don't* want SRV,
> > > because it has fields that are not compatible with the web security model.
> > > 
> > > I still want to define a new RR that does have mutually agreed semantics
> > > that's specifically for use by HTTP(s), but so far no takers.
> > > 
> > > Ray
> > > 
> > > _______________________________________________
> > > DNSOP mailing list
> > > DNSOP@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dnsop
> > > _______________________________________________
> > > DNSOP mailing list
> > > DNSOP@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dnsop
> > 
> > -- 
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org