Re: [DNSOP] AD Review of: draft-ietf-dnsop-svcb-https
Warren Kumari <warren@kumari.net> Thu, 05 August 2021 15:41 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5128E3A16AA for <dnsop@ietfa.amsl.com>; Thu, 5 Aug 2021 08:41:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tzbSXg1RMO-e for <dnsop@ietfa.amsl.com>; Thu, 5 Aug 2021 08:41:14 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A5D63A16AC for <dnsop@ietf.org>; Thu, 5 Aug 2021 08:41:14 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id m18so7705416ljo.1 for <dnsop@ietf.org>; Thu, 05 Aug 2021 08:41:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Z5i4mctsZln9+eS1vKijzj1mcWkMFnOmRpf5XMboAOU=; b=JhJQzohXMofRnok0CQk/nDpDXv9rtPNpnq1XnkqaEVfs8uaUwNYKpiJU/RbFgOdkkv 7wgPOJJwfP/1NdM4xfgoJg66xBee5oPxkjQndmVd1VJ1eAI0FQ1Rayha0vXT8fCnTp1O TAh0qumkHifY++ip8SBiC88QWpLJyQ8n4Uw1EPCSV2qlG6kMFytgjAitaSC9Ywkj+h8w ZcKozvtls657hkvAhaz5Kh/giBC2EE/ah54ut3ZZaaGlm37zeFi4YtnmR0y2/1luyw1i bMqRrYlsZy+TWENcpgaxO4nQRF04bWAVwmrQHOR+/Ojrw//kOLTtUuaEMGnO2QolZgaS ASxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Z5i4mctsZln9+eS1vKijzj1mcWkMFnOmRpf5XMboAOU=; b=UDt7smzteobGCdeXv8tC8jq6ZRpUQTYAr2NmJAIwT97HBu+2uH2I5hTeNeHlB+VAaA Zk5caI0AoCCA1rFAKNmyIvgFoGtgMOZL7aSXu3WH7OocYkQZYb2BRAVhs7aPceTjGnWV MMVLVGH/LsZboWLlrL3tSoorTlIoBUXFUnkM73tbLpl+j+sL5xZx0QbZhoxD6uCdo0MF iJLn0UOmquVTqrB80eWKNqBMvJTDZL1EipjkDQ9cD+aNFbLKazWqfK4/orSuP3f3KQIQ YUpL6qskEVdMWFLfuwWYg/sHmSSm1KJ5l6OJThtd0Zl12oi92T1woYa7YMB4qCbNDjkS wkVw==
X-Gm-Message-State: AOAM533xPLqQ9EmL1UYnxBHYDwGV/jyTQftV0JRulGj1yFG5f8PkWRfT ONS/EgYiB1D+BPUCzXSW8MuMBgUzaoKfCAHAFunBDIJ+hkE=
X-Google-Smtp-Source: ABdhPJyiiFL68bT+ooahFeBUoNS7hR4gepwTMNPQHp6jH+7O7eicz8U8VULnbkZi+5M5KNA1skP1wHGH1WaZYAzGXfs=
X-Received: by 2002:a2e:2a46:: with SMTP id q67mr3612194ljq.309.1628178070328; Thu, 05 Aug 2021 08:41:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAHw9_iLPr=EzY0CiMurMQp0QkYk+xoB8TJTgSga3Qejk6yd7VQ@mail.gmail.com>
In-Reply-To: <CAHw9_iLPr=EzY0CiMurMQp0QkYk+xoB8TJTgSga3Qejk6yd7VQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Thu, 05 Aug 2021 11:40:34 -0400
Message-ID: <CAHw9_iJ7GXac3fmpAn+pBOCP7riLm68D=DfLJpYvbbhW4me0bA@mail.gmail.com>
To: dnsop <dnsop@ietf.org>, draft-ietf-dnsop-svcb-https@ietf.org
Content-Type: multipart/alternative; boundary="000000000000836ec005c8d1bf95"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/o2B_cIQtWmtMGY_GWVJMt-yLWzE>
Subject: Re: [DNSOP] AD Review of: draft-ietf-dnsop-svcb-https
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2021 15:41:19 -0000
Thank you to the authors for having updated the document, and to the chairs for having poked me. I've requested IETF LC. Thanks everyone. W On Tue, Jul 27, 2021 at 12:34 PM Warren Kumari <warren@kumari.net> wrote: > Dear Authors and WG, > > This document made me grumpy. > > Pointing out nits and similar in documents is one of the few times > that I get to feel superior, and demonstrate my outstanding missing > comma detection abilities... I feel that I've been robbed of this > opportunity in this document -- I only found 4 (four) issues in 57 > pages, for a measly 0.07 errors per page... > > While they are just nits, I'd still appreciate it if the authors could > address them and post a new version -- having the document as clean as > possible before starting IETF LC helps things run smoothly. > > Please SHOUT LOUDLY once you've had a chance to address these (marked > with [O] [P] notation), and I'll kick off LC. > > Thanks, > W > > > > > DNSOP Working Group B. Schwartz > Internet-Draft Google > Intended status: Standards Track M. Bishop > Expires: 18 December 2021 E. Nygren > Akamai Technologies > 16 June 2021 > > > Service binding and parameter specification via the DNS (DNS SVCB and > HTTPS RRs) > draft-ietf-dnsop-svcb-https-06 > > Abstract > > This document specifies the "SVCB" and "HTTPS" DNS resource record > (RR) types to facilitate the lookup of information needed to make > connections to network services, such as for HTTPS origins. SVCB > records allow a service to be provided from multiple alternative > endpoints, each with associated parameters (such as transport > protocol configuration and keys for encrypting the TLS ClientHello). > They also enable aliasing of apex domains, which is not possible with > CNAME. The HTTPS RR is a variation of SVCB for HTTPS and HTTP > origins. By providing more information to the client before it > attempts to establish a connection, these records offer potential > benefits to both performance and privacy. > > 1. Introduction > > The SVCB ("Service Binding") and HTTPS RRs provide clients with > complete instructions for access to a service. This information > enables improved performance and privacy by avoiding transient > connections to a sub-optimal default server, negotiating a preferred > protocol, and providing relevant public keys. > > For example, when clients need to make a connection to fetch > resources associated with an HTTPS URI, they currently resolve only A > and/or AAAA records for the origin hostname. This is adequate for > services that use basic HTTPS (fixed port, no QUIC, no [ECH]). Going > beyond basic HTTPS confers privacy, performance, and operational > advantages, but it requires the client to learn additional > > [O] the client to learn > [P] that the client learn > [R] readability/grammar > > information, and it is highly desirable to minimize the number of > round-trips and lookups required to learn this additional > information. > > [O] and it is highly desirable to minimize the number of > > round-trips and lookups required to learn this additional > information. > [R] Can this sentence be split? The "HTTPS confers ..., but ... and it > is highly desirable..." gets a bit confusing unless you already know > this :-) > > The SVCB and HTTPS RRs also help when the operator of a service > wishes to delegate operational control to one or more other domains, > e.g. delegating the origin "https://example.com" to a service > operator endpoint at "svc.example.net". While this case can > sometimes be handled by a CNAME, that does not cover all use-cases. > CNAME is also inadequate when the service operator needs to provide a > bound collection of consistent configuration parameters through the > DNS (such as network location, protocol, and keying information). > > This document first describes the SVCB RR as a general-purpose > resource record that can be applied directly and efficiently to a > wide range of services (Section 2). The HTTPS RR is then defined as > a special case of SVCB that improves efficiency and convenience for > use with HTTPS (Section 8) by avoiding the need for an Attrleaf label > [Attrleaf] (Section 8.1). Other protocols with similar needs may > follow the pattern of HTTPS and assign their own SVCB-compatible RR > types. > > All behaviors described as applying to the SVCB RR also apply to the > HTTPS RR unless explicitly stated otherwise. Section 8 describes > additional behaviors specific to the HTTPS RR. Apart from Section 8 > and introductory examples, much of this document refers only to the > SVCB RR, but those references should be taken to apply to SVCB, > HTTPS, and any future SVCB-compatible RR types. > > The SVCB RR has two modes: 1) "AliasMode" simply delegates > operational control for a resource; > > [O] 1) "AliasMode" simply delegates > > operational control for a resource; > > [P] 1) "AliasMode", which simply delegates > > operational control for a resource; > > [R] grammar/clarity. Suggest the same for #2 below. > > 2) "ServiceMode" binds together > configuration information for a service endpoint. ServiceMode > provides additional key=value parameters within each RDATA set. > > 1.1. Goals of the SVCB RR > > The goal of the SVCB RR is to allow clients to resolve a single > additional DNS RR in a way that: > > * Provides alternative endpoints that are authoritative for the > service, along with parameters associated with each of these > endpoints. > > * Does not assume that all alternative endpoints have the same > parameters or capabilities, or are even operated by the same > entity. This is important as DNS does not provide any way to tie > > [O] This is important as DNS > [P] This is important, as DNS > [R] grammar > > together multiple RRs for the same name. For example, if > www.example.com is a CNAME alias that switches between one of > three CDNs or hosting environments, successive queries for that > name may return records that correspond to different environments. > > * Enables CNAME-like functionality at a zone apex (such as > "example.com") for participating protocols, and generally enables > delegation of operational authority for an origin within the DNS > to an alternate name. > > ---- > ... and I found no more errors or even nits below. > > Grump. > W > > > -- > Perhaps they really do strive for incomprehensibility in their specs. > After all, when the liturgy was in Latin, the laity knew their place. > -- Michael Padlipsky > -- The computing scientist’s main challenge is not to get confused by the complexities of his own making. -- E. W. Dijkstra
- [DNSOP] AD Review of: draft-ietf-dnsop-svcb-https Warren Kumari
- Re: [DNSOP] AD Review of: draft-ietf-dnsop-svcb-h… Warren Kumari