[DNSOP] Comments on draft-ietf-dnsop-svcb-https
"libor.peltan" <libor.peltan@nic.cz> Wed, 17 June 2020 12:10 UTC
Return-Path: <libor.peltan@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66CB13A0A31 for <dnsop@ietfa.amsl.com>; Wed, 17 Jun 2020 05:10:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TDoNxmh6R6tf for <dnsop@ietfa.amsl.com>; Wed, 17 Jun 2020 05:10:50 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 427E93A0A3D for <dnsop@ietf.org>; Wed, 17 Jun 2020 05:10:18 -0700 (PDT)
Received: from [172.20.6.79] (unknown [172.20.6.79]) by mail.nic.cz (Postfix) with ESMTPSA id C91C4140954; Wed, 17 Jun 2020 14:10:14 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1592395815; bh=xg2Qosykt5D37mlotB2GmbZ9KZk+drWTJ1YKrE2zhm8=; h=From:To:Date; b=KyLlWFK2BVRV42ZBc1XmhOLeoFPvMPG2XaQLiZFpEPYJlrqA9z5rJ5k73p9fNE+8N ffT54KdRQ5JqV46MktrfN8304ffL3UE+O2imb9Wdy4osQzTWifLCgOCY7AgpSQeWxy 9c2zi8fpXEUrssJVO48cdeZr4OTNMb8X0hL9K+Vg=
From: "libor.peltan" <libor.peltan@nic.cz>
To: dnsop@ietf.org, "knot-dns@labs.nic.cz Dns" <knot-dns@labs.nic.cz>
Message-ID: <958b1059-a18c-7c01-1280-8deed67a5842@nic.cz>
Date: Wed, 17 Jun 2020 14:10:14 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-2"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.102.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/nZSFepJAXOUvyTW2wNtzkxqZI6c>
Subject: [DNSOP] Comments on draft-ietf-dnsop-svcb-https
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2020 12:57:16 -0000
Hi all, i'm a developer of Knot DNS authoritative server. I have some comments on the SVCB draft and some suggestions for improvements. Just consider my thoughts and then do whatever is best. (1) The format of SVCB (and HTTPS) RR is too complicated, especially for parsing presentation format to wireformat and back, including consistency checks. Perhaps instead of www 3600 IN HTTPS 1 . alpn=h2 port=8443 It could be www 3600 IN HTTPS 1 . alpn h2 1 . port 8443 Which gives slightly bigger RRSet wireformat, but not by much. (2) Paragraph 2.2 explicitly requires that SvcDomainName must not be compressed. Is there a reason? Especially when the response packets are large (and I expect that for SVCB they will), any compression helps. (3) Paragraph 2.5 contradicts itself: "SvcDomainName MUST be the name of a domain that has SVCB, AAAA, or A records" versus "SvcDomainName MAY be the owner of a CNAME record". What is the meaning here? (4) Let's assume that CNAME is allowed under SvcDomainName. Paragraph 4.1 is too vague and I don't see what an authoritative (not recursive!) server shall answer in situation SVCB->CNAME->A (all in-bailiwick). Shall the CNAME and A be added to additional section? For comparison, in situation MX->CNAME->A we don't bother since this situation is forbidden (see RFC 2181). (5) Wouldn't one octet for priority field be enough? (6) There are not enough examples in the document. There are many variants of SVCB records, the formal ABNF description is difficult to read, and it would also illustrate what kind of services those records are designed to handle. Best regards and thanks for your effort, Libor Peltan CZ.NIC
- [DNSOP] Comments on draft-ietf-dnsop-svcb-https libor.peltan
- Re: [DNSOP] Comments on draft-ietf-dnsop-svcb-htt… Tommy Pauly
- Re: [DNSOP] Comments on draft-ietf-dnsop-svcb-htt… Mark Andrews
- Re: [DNSOP] Comments on draft-ietf-dnsop-svcb-htt… Libor.peltan