Re: [DNSOP] SVCB chain lengths
Brian Dickson <brian.peter.dickson@gmail.com> Fri, 27 December 2019 20:18 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1F2312010E for <dnsop@ietfa.amsl.com>; Fri, 27 Dec 2019 12:18:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZVx2QyyHz6k for <dnsop@ietfa.amsl.com>; Fri, 27 Dec 2019 12:18:20 -0800 (PST)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1E1E12006F for <dnsop@ietf.org>; Fri, 27 Dec 2019 12:18:19 -0800 (PST)
Received: by mail-vs1-xe35.google.com with SMTP id p6so17519192vsj.11 for <dnsop@ietf.org>; Fri, 27 Dec 2019 12:18:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WIzpBVHORjAomPbe7iBdIbyQ3weNwpkgzz+LIeR8IgI=; b=i0Mdq4VXlI2RU1ahysaNxVnH3Iyt5T5syi9kayc9JvHVSQFxAmDTTUTK0fMA9wG1yW Bl4nSJ71W2kr3nuezxgfhwfrD8A4EbjVT2Tj/nH08Q+gXKWKyf4mwMVmuNeUpnT3nJnZ L+/toJV1Lzj0Wo9GQteIWYU1xC6RIvYVXB1ctKoZ1YYcSa2kOL6aLp19wOyXJKVozrFG LTRU1NUbVzxI3QLUNubAPSZ++ScKtjaPJRK4MQGYb2Y+LdVJVP0+HmlrZag4SCNC8FnP 7vEWj4bEFgLL+7hPtAhDS0qE+r7R6G/8DBQckfKHax3OfXhtuUhyOSEQSzM3qBBEAs9l LvRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WIzpBVHORjAomPbe7iBdIbyQ3weNwpkgzz+LIeR8IgI=; b=S5KTAi+3xvhv0ZaeqqoL0rRifhSa7ePOZvCb2c2ldxnO+uH9nFr/emG6P6Xr5utjIx a9AtJEUL8vaFLkRZsxPkXRRyiRdjsV+FozZ+CxgqxWY9Wx6K5cl/AxMgjV+s9YTDkdQy BNbOsdXZ+kY35+yHRI1Kkf2UeUo41269j8GconrJt6ckLUQPS3od9a1/I3d8+33hZm+A KqSKh82Dr5f7R6xP7wIW/TzosjEk6zZsY8p79uu1YQP2DlwwUc/DVrcjsCKIjQnazPtJ q0Ru91P+FKDXMIIH7jBT6oq9u030UI8fB8PCTLEauoyKGwmSQpILFjF6mNfcDqcnba8a CbOg==
X-Gm-Message-State: APjAAAVM/j9P/UnGnYB5TtgGIDUIgLAJAZGpZK1YTvyHEhQD+y3g7GmA yFPQkfmw48Gk5Qi7hsEnucZDN1No7YAEJWC34WXT6g==
X-Google-Smtp-Source: APXvYqyD7qNPzadBBwnBm60GiMIRgfhS8mmXRchvkvnW2lSN1/sBIxUaQSfrEQ2MT5ITzshjVnEhrgydbKKXKMj7Aq4=
X-Received: by 2002:a67:fc09:: with SMTP id o9mr28920182vsq.75.1577477898990; Fri, 27 Dec 2019 12:18:18 -0800 (PST)
MIME-Version: 1.0
References: <CAMOjQcGP3=+_fb9pt3dvF27kR1ENH+=2L28EDNPQU6JF8zkrzQ@mail.gmail.com> <CAH1iCirdFrT_v-FBqaC=WUfaY52DyeYLh5VWbeVsw2YwscDCpA@mail.gmail.com> <CAHbrMsBAmQU-xduT3E4_sHaqrpsdZ_YfdEtgoNB4kti4jDCvdQ@mail.gmail.com> <CAH1iCip0iY8Mt8=HC0-V8jF=D=BGcs54xUMu4Rkbe47FFxGyuA@mail.gmail.com> <CAMOjQcG2YOBa1X7ZqAUpDG0Cwr+nOzmy-bKJmbqaQEqrcTOCAQ@mail.gmail.com> <CAH1iCip6CdLSNAmBB-j=Qya26j=OoLoBGyMtXEWQ0sQz9Z2HYw@mail.gmail.com> <CAMOjQcGLhu-27932_FoyNmV=7RGG074zzkaGNxHMs0qrfAO+4A@mail.gmail.com> <CAMOjQcEZqvpYNTJ7vRXdkC11mUYADvBOnzOHTwWH49wyXBfp_Q@mail.gmail.com>
In-Reply-To: <CAMOjQcEZqvpYNTJ7vRXdkC11mUYADvBOnzOHTwWH49wyXBfp_Q@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Fri, 27 Dec 2019 12:18:07 -0800
Message-ID: <CAH1iCirVB2-xDbOqhFGOk3Yv7mQHFGKCiWmp=A+vPhDN7Skbqg@mail.gmail.com>
To: Eric Orth <ericorth=40google.com@dmarc.ietf.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cf7b70059ab53149"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/nWxyzuBFFpFkJKT2-qgvrXXyoTE>
Subject: Re: [DNSOP] SVCB chain lengths
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2019 20:18:23 -0000
On Fri, Dec 27, 2019 at 10:25 AM Eric Orth <ericorth= 40google.com@dmarc.ietf.org> wrote: > I propose we add the following 4 statements to the spec: > 1) Alias-form SVCB records SHOULD NOT delegate to names with any form of > alias record such as alias-form SVCB or CNAME. > 2) Clients receiving SVCB records MAY limit the length of chains of > alias-form SVCB records that they will follow. > 3) Stub resolvers SHOULD follow at least one alias-form HTTPSSVC record > before enforcing chain limits. > 4) Recursive resolvers SHOULD follow at least (8?) alias-form > HTTPSSVC records before enforcing chain limits. > > Point (1) is an extension/clarification of the similar rule for CNAME in > RFC1034. I think SVCB would work a lot better if everybody just always > aliases to the final server whenever possible and reasonable. > This element of 1034 has never been observed by implementers or operators. If you REALLY need this clarified, maybe a 1034-bis that removes this rule on CNAMEs, would make the documentation on DNS consistent with deployed reality. If you insist on SVCB mirroring 1034, please be prepared for a lot of pushback, up to and including such a -bis document... SVCB might work better if everyone does what you ask, but the underlying reality is that that is not always possible (at all), where "not always" means "anywhere that single-vendor vertical integration is not occurring". There are currently artificial barriers to interoperation, which result in several (more than 3?) instance of vertical integration, each of which has 20% (in many cases, much less) of the total domain name space. This limitation on SVCB prevents real-world use of SVCB for inter-provider (hybrid, redundant, whatever) usage. I'd like to see an eventual deployment scenario where any domain can use SVCB for any appropriate use case, and where resolvers do all the SVCB heavy lifting. We can't get there if we can't get beyond the vertical integration limitation, which Point (1) necessarily prohibits for 99% of existing actual deployed apex "cname" usage, which is likely to be the earliest and biggest use case of alias-form SVCB. (Specifically, adding SVCB aliases to SVCB alias or CNAME records within vertical integration environments.) As for Point (3), I don't think we are yet at a consensus of which value of "N" (e.g. "one") is reasonable, given the functional requirement for deployment in the real world. Brian > > Point (2) essentially serves as a warning to not assume long chains will > always be followed. The allowed length may vary, but many operators are > going to impose a limit at some point out of practicality. > > Points (3) and (4) set the expectation of reasonable minimum limits for > everything to work well. Recursives are given a higher limit because, as > stated in this thread, it is very reasonable for those operators to support > such higher limits. Stubs are given a lower limit because it is less > reasonable for them to support the long chains, but they are still expected > to follow at least one alias because that is the minimum to support the > obvious usecase of allowing https://example.com/ aliasing. Both these > points only apply to HTTPSSVC, and leave SVCB less defined, as what is > reasonable behavior may be more varied in non-HTTPS cases. > > On Fri, Dec 27, 2019 at 12:54 PM Eric Orth <ericorth@google.com> wrote: > >> >> >> On Mon, Dec 23, 2019 at 3:57 PM Brian Dickson < >> brian.peter.dickson@gmail.com> wrote: >> >>> >>> >>>> Being typically further away from results and with less caching, >>>> unlimited chain following just does not seem reasonable for a stub like >>>> Chrome, and it seems to us to have a big potential to be detrimental to our >>>> users' experiences compared to the status quo of not following any chains. >>>> >>> >>> This puts the necessary and appropriate pressure on stub clients to >>> their resolver operators, to deploy Alias-form aware resolvers. >>> >>> Putting in place (IMHO) hacks, to reduce or eliminate that "pain", >>> removes ANY incentive for resolver operators to actually deploy this stuff. >>> >>> If resolver operators NEVER deploy this stuff, we may as well chuck it >>> before we adopt this, since there will be literally zero benefit, while >>> creating non-trivial amounts of cost (in terms of stub client >>> implementations, authority-server implementations, zone owner deployments, >>> etc.) >>> >>> BTW, I'm strongly in favor of this getting adopted, and getting deployed >>> in recursive resolvers. >>> >>> Thus, I'm in favor of NOT having alias-form limits, even on the stubs. >>> This will lead to much faster adoption, compared to "Real Soon Now", "Some >>> Day", "Eventually", and "We Never Promised To Do That". >>> (The latter set of responses paraphrased from an un-named registrar who >>> eventually reneged on "promises" to deploy DNSSEC support.) >>> >> >> Chrome is not willing to subject its users to such an easily avoidable >> "pain" simply as an incentive to other operators to help fix the badness. >> As much as users taking a latency hit of following long chains would >> incentivize recursives to follow the chains on their side, requiring long >> chain following would be an even stronger incentive to browsers and other >> stub clients to not support any HTTPSSVC alias following or maybe not >> support standardized HTTPSSVC at all. >> >> But I also disagree that all incentive for recursives to follow chains is >> removed if stubs only follow one alias link. Even following that single >> alias in the stub is going to almost always be a bit slower than if the >> recursive does it. >> > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- Re: [DNSOP] SVCB chain lengths Vladimír Čunát
- [DNSOP] draft-ietf-dnsop-svcb-httpssvc-01 feedback Eric Orth
- Re: [DNSOP] draft-ietf-dnsop-svcb-httpssvc-01 fee… Brian Dickson
- Re: [DNSOP] draft-ietf-dnsop-svcb-httpssvc-01 fee… Patrick McManus
- [DNSOP] SVCB chain lengths Ben Schwartz
- Re: [DNSOP] SVCB chain lengths Patrick McManus
- Re: [DNSOP] SVCB chain lengths Brian Dickson
- Re: [DNSOP] draft-ietf-dnsop-svcb-httpssvc-01 fee… Vladimír Čunát
- Re: [DNSOP] SVCB chain lengths Eric Orth
- Re: [DNSOP] SVCB chain lengths Brian Dickson
- Re: [DNSOP] SVCB chain lengths Paul Vixie
- Re: [DNSOP] SVCB chain lengths Masataka Ohta
- Re: [DNSOP] SVCB chain lengths Eric Orth
- Re: [DNSOP] SVCB chain lengths Eric Orth
- Re: [DNSOP] SVCB chain lengths Brian Dickson
- Re: [DNSOP] SVCB chain lengths Brian Dickson
- Re: [DNSOP] SVCB chain lengths Brian Dickson
- Re: [DNSOP] SVCB chain lengths John Levine
- Re: [DNSOP] SVCB chain lengths Paul Vixie