Re: [DNSOP] Fwd: New Version Notification - draft-ietf-dnsop-svcb-https-06.txt

Dick Franks <rwfranks@gmail.com> Fri, 02 July 2021 07:00 UTC

Return-Path: <rwfranks@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96D2E3A10ED; Fri, 2 Jul 2021 00:00:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kSuCwREj92eP; Fri, 2 Jul 2021 00:00:18 -0700 (PDT)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A26633A10E7; Fri, 2 Jul 2021 00:00:15 -0700 (PDT)
Received: by mail-il1-x129.google.com with SMTP id g3so7560513ilq.10; Fri, 02 Jul 2021 00:00:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Uw+V4tISGGjpiF8UlQDvUfgQiMKXO0FOwqxQUbX/BCE=; b=W6kaEOroixlGRFLn4ytgVRkRZKJCWeGTqGl8rAZK3losxU4pMn0aYnmDR9yaQlvJmK R3svEc4Bk8JhqbBecpcvsYy4ZboTsCZN7fciDQ4ooZRg5NrEyRFVXyNLi6Yyc8ZAmTF/ 6hNQcgLkPV29ngwt25aP4D5v8WjfUEmVRdjw56INg3pY/AFBi/6p1o0y4B0c4DAYQ9SN ulvAwFVNBqpCN0Blf0dFhAI8hl3mRcWHX/NNkm+7+ba6FPb/VUvPsGQ0Y+aypNDeq7fK WJqU1TpGma2fQCDN3M0E5nuZzjPICmVaqHwxjtGFGgFN9jYL7inJjjVIFmEm9epE2pc6 cQSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Uw+V4tISGGjpiF8UlQDvUfgQiMKXO0FOwqxQUbX/BCE=; b=pL0HTI8Idw7lNSSvY2vJIDl3MCKEZMerh4LTY6aIcZxkD+uPnE7JcXcyZITVzMfm3+ UPd+aZXDW7DEoGip/GIghp5wL6wJBbeJdyduo/+v8sYB289zivBVqgd+75HwzOdRnjQG VeJcIh/Q1c/Nkhkne3N3YsG3mfgqF4DUmHnR0RUkvZt5OGKD8k3SkZOoSBxDF7SR+PcG n0UipF5Y6mqlSMCCGD6+niF40h9ZRLdX6n/X8gEYw3o96lBmU+jWciNq+IRCq6BoAsuU 2IPtdCc6hSY1lMX3l+MDZ0a1z9E5HYmxMdzjpnS10dDAOuXw/sC5tp+1lol4dIAwnFl/ zpvg==
X-Gm-Message-State: AOAM53388KCY1skbaLxP8vEq+aJ05icS1rFJ2pHQQieldV748RR2dvaa mWmCVRAd39I0ZJVS9ucFBYy1G+/gQ18MeClbv1De8WynHlw=
X-Google-Smtp-Source: ABdhPJzp4fKir2W5bOVCmH+6rgywh+nIRJjYyDNHD2tu7xxZS/xZhKU9N357uWtChJRZRqMZmjCFRfvd5YZYHddtk6A=
X-Received: by 2002:a92:c747:: with SMTP id y7mr765347ilp.199.1625209214073; Fri, 02 Jul 2021 00:00:14 -0700 (PDT)
MIME-Version: 1.0
References: <162385376680.21187.3987569781956962248@ietfa.amsl.com> <CADyWQ+EuU4fe5WLAD7dRDhSfSgZfMWEk-jVW9z99x=cBKjd9uw@mail.gmail.com>
In-Reply-To: <CADyWQ+EuU4fe5WLAD7dRDhSfSgZfMWEk-jVW9z99x=cBKjd9uw@mail.gmail.com>
From: Dick Franks <rwfranks@gmail.com>
Date: Fri, 2 Jul 2021 08:00:00 +0100
Message-ID: <CAKW6Ri6ueXvB9xAZTVPVg=dUVhQnXeOtGS7WHRViAdtEbotqzA@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop-chairs <dnsop-chairs@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/oHHAXKPgRn025Vs20J_ZaAscc8A>
Subject: Re: [DNSOP] Fwd: New Version Notification - draft-ietf-dnsop-svcb-https-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jul 2021 07:00:24 -0000

Feedback on SVCB draft 06 as requested.

On Mon, 28 Jun 2021 at 02:39, Tim Wicinski <tjw.ietf@gmail.com> wrote:
>8
>
> The chairs would like the WG to review these changes, and give us some feedback.


6.1.  "alpn" and "no-default-alpn"

   The presentation "value" SHALL be a comma-separated list
   (Appendix A.1) of one or more "alpn-id"s.  Zone file implementations
   MAY disallow the "," and "\" characters instead of implementing the
   "value-list" escaping procedure, relying on the opaque key format
   (e.g. "key1=\002h2") in the event that these characters are needed.

If implementations MAY ignore the escape mechanism Appendix A.1 completely,
there is little incentive to do otherwise.

However, implementations that do not exercise that option expose themselves
to a litany of potential security weaknesses:

These range from argument strings which produce corrupt content:

   example.com.   SVCB   1 example.com. ipv6hint="2001:db8:5c:5c5c::1"

not ok 29 - SVCB ipv6hint shrinkage
#   Failed test 'SVCB ipv6hint shrinkage'
#   at test.pl line 149.
#          got: 'example.com.    IN    SVCB    ( \# 33 0001
076578616d706c6503636f6d00     ; example.com.
#     0006 000e 20010db8005c0000000000000001 )'
#     expected: 'example.com.    IN    SVCB    ( \# 35 0001
076578616d706c6503636f6d00     ; example.com.
#     0006 0010 20010db8005c5c5c0000000000000001 )'

to crafted RRs which silently subvert the parsing process in undesirable ways:

   example.com.   SVCB   1 example.com.
ipv4hint="92.48.55.48,92.48.56.53,92.48.54.54,92.48.56.50"

not ok 30 - SVCB ipv4hint subversion
#   Failed test 'SVCB ipv4hint subversion'
#   at test.pl line 149.
#          got: 'example.com.    IN    SVCB    ( \# 23 0001
076578616d706c6503636f6d00     ; example.com.
#     0004 0004 46554252 )'
#     expected: 'example.com.    IN    SVCB    ( \# 35 0001
076578616d706c6503636f6d00     ; example.com.
#     0004 0010 5c3037305c3038355c3036365c303832 )'


D.3.  Failure cases

The following additional test vectors are listed below the
corresponding requirement.

 [9, para 1]
 In presentation format, the value is a [SINGLE] ECHConfigList encoded
in Base64.

  example.com.  SVCB  1 foo.example.com. ech            ; missing argument
  example.com.  SVCB  1 foo.example.com. ech=b25l,dHdv  ; multiple arguments

 [6.2, para 2]
 The presentation "value" of the SvcParamValue is a [SINGLE] decimal
integer between 0 and 65535 in ASCII.

 Note: Character set cannot be specified here; it is whatever the
platform or zone file uses (EBCDIC for example).

  example.com.  SVCB  1 foo.example.com. port=1234,4678 ; multiple arguments

 [6.1, para 6]
 When "no-default-alpn" is specified in an RR, "alpn" must also be
specified in order for the RR to be "self-consistent" (Section 2.4.3).

  example.com.  SVCB  1 foo.example.com. (
                      no-default-alpn                   ; without expected alpn
                      )

D.2.  Service form

The test vector for unsorted SvcParams would be better expressed using
numerical keys and disentangled from extraneous clutter.

  example.com.  SVCB  1 foo.example.org. (              ; unsorted SvcParam keys
                      key23609 key23600 mandatory=key23609,key23600
                      )

--rwf



>
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org>
> Date: Wed, Jun 16, 2021 at 10:29 AM
> Subject: New Version Notification - draft-ietf-dnsop-svcb-https-06.txt
> To: Tim Wicinski <tjw.ietf@gmail.com>
>
>
>
> A new version (-06) has been submitted for draft-ietf-dnsop-svcb-https:
> https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-06.txt
> https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-06.html
>
>
> The IETF datatracker page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/
>
> Diff from previous version:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-svcb-https-06
>
> IETF Secretariat.
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop