Re: [DNSOP] HTTP dns-alt-svc draft
Ben Schwartz <bemasc@google.com> Sat, 23 June 2018 17:13 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45EE0131038 for <dnsop@ietfa.amsl.com>; Sat, 23 Jun 2018 10:13:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.508
X-Spam-Level:
X-Spam-Status: No, score=-17.508 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KgfqZITod9Gt for <dnsop@ietfa.amsl.com>; Sat, 23 Jun 2018 10:13:00 -0700 (PDT)
Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECC33130EA9 for <dnsop@ietf.org>; Sat, 23 Jun 2018 10:12:59 -0700 (PDT)
Received: by mail-it0-x235.google.com with SMTP id a195-v6so6969176itd.3 for <dnsop@ietf.org>; Sat, 23 Jun 2018 10:12:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mMAumHkS3DWWtb3jLGjuvl6Mp2tcNUqEh1R2z47mTTk=; b=dU7suqubw+hKlrQvIKqlR+34vEMlptETO9iQkg0Dc2/FvFuw9kXRRVqlDgTf7aOMaC ZX7MHDphMieO7q781FPmkNrugwZO1TuEW9iyIhi8zP88MsIYDWwnYQNogwNuJLxKewb7 nLkw0AjLcEcuv2pK/kIP+rJZ86bxCyGd3HXhrHqmAPIOj5xaAJPNV2EQrHf+pNDdBQQQ Lsgw0f2rOS9fO2D98xsU3Jws+ASIzIfbKBgAM64PeoBEAE4HfYIAxXnFthBfkNoMK2Ft pdHzjgwhAbzk4FH8Gm+YFGNlucTKUOHdCg/H62k5o3lSTiL6Vb50+jMJy+OGk+uj3chp +mOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mMAumHkS3DWWtb3jLGjuvl6Mp2tcNUqEh1R2z47mTTk=; b=YJa5OCD3ey7eisYh9PKCCAAzPdQ5rVtgmcBw84rg0YwKJNOBNnPBBJdlbCHKDNdM4g Z4y7MmVSk56c/kFUn9rGG2Ni1WyhYuex7/zwqhqSma5k6+b1b3/hYlth2UWf7qriGKma g7zp+fo5TGQOm1H4UTcVP0HQ1aHc/TDVVssuSUajF7JdSBIeCUP6nd8b4Xq21odoDKcL y0t6Z6OXr3p+QBXTEO5UhU/z5c6EtMQubpdDYX3DOm2ErO6C+1DZ7Qz9AnXAhSwER3G9 wXH+ALjH0dZc7yFHuodhr7UJVs+mFz4ytm1+oaz809OYgr+tJ6NnWoI0KXiXg8zTJOPx +cMQ==
X-Gm-Message-State: APt69E1UMGJtsOf9+vwt9lnuD/S9QVC07l1A55Werv8Q/SG1uQ2lehyy 4LUcV0fk5alCjruv7wytgcuRclItMQ6Gcdptb21dVQ==
X-Google-Smtp-Source: ADUXVKLyyleO1kPxh2FX6SKkJFbVPTnedan8SnwNgMCsOmLtFqPiZzmKASMq6bnLoic4CQ4M1ZZkSlILgAxky9fzuzE=
X-Received: by 2002:a02:970a:: with SMTP id x10-v6mr1894189jai.137.1529773978599; Sat, 23 Jun 2018 10:12:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdU6XO6uhxDZpP59FUS6P5L+uG6PHvrr8gd8xDojzavqiw@mail.gmail.com>
In-Reply-To: <CAHPuVdU6XO6uhxDZpP59FUS6P5L+uG6PHvrr8gd8xDojzavqiw@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Sat, 23 Jun 2018 13:12:47 -0400
Message-ID: <CAHbrMsBb-Ms0aRDWjHiGNXtRvfVvNvBwFdEtd1NAtjaEj6PTuw@mail.gmail.com>
To: shuque@gmail.com
Cc: dnsop@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000009f3a86056f524250"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/o_UxHWyswS7uNF4M9OXrlVYuewM>
Subject: Re: [DNSOP] HTTP dns-alt-svc draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jun 2018 17:13:04 -0000
On Sat, Jun 23, 2018 at 12:01 AM Shumon Huque <shuque@gmail.com> wrote: > In other threads, Erik Nygren suggested that we review the proposed > DNS record for HTTP Alternative Services draft: > > https://tools.ietf.org/html/draft-schwartz-httpbis-dns-alt-svc-02 > (You might also want to read RFC7838 for background). > > This is an effort from people in the HTTP community. Since it's quite > clear that this community is not interested in using SRV, I find it > noteworthy that recent discussion on this group has continued on the > topic of SRV and web applications, and there has been no discussion > of this draft at all (well, I think Matt Pounsett glancingly mentioned that > we should look at it, but that's been the extent of it). > Hi, I'm one of the authors of this draft. Thanks for reviewing it! > I'd like to suggest that we look at this draft and see if it can both > address the needs of web applications and solve some of the > issues the DNS community faces, such as how to extricate ourselves > from the morass of various zone apex redirection hackery. > > I've taken a quick look and will dump my thoughts. I hope others > will do the same. > > Basically, given a HTTP origin (defined by a domain name, port, and > protocol/scheme), this record allows you to locate "alternative" hosts > that authoritatively provide service for the origin. The RDATA includes > the TLS ALPN ("h2" below is HTTP2), host, and port. > > Here's an example: > > _443._https.example.com. 900 IN ALTSVC "h2=\"cdn1.example.org:443\"" > _443._https.example.com. 900 IN ALTSVC "h2=\"cdn2.example.org:8443\"" > > It actually has similarities to SRV. But offers more capabilities > to web applications, such as http protocol version selection, and > has an extensible format for the ALTSVC field value (represented as > a text string in the RDATA), where more http specific protocol > parameters could be defined and placed in the future. > > So, it can solve the zone apex redirection problem if it becomes > widely adopted. > I think your summary is very good, but I want to caution you against this conclusion a little. Specifically, I want to point out that threshold for "widely adopted" might be extremely high. The ANAME proposal, as I understand it, can be deployed within the existing infrastructure, reaching all clients solely by modifying participating authoritative servers. Performance improvements are available if recursive resolvers become aware of ANAME but this is not required. No client changes are required. ALTSVC, in contrast, only affects the behavior of participating clients. That means that "legacy" clients without support for ALTSVC will continue to get the "current" behavior, i.e. relying on A/AAAA for the apex. If there is no A/AAAA at the apex, the site will be unreachable by "legacy" clients. I expect that it will be a very long time before this would be a good choice for most websites. One possibility is to have both an ALTSVC and A/AAAA at the apex. This apex IP address would only have to handle a small fraction of load, as a growing fraction of users would bypass it (and most users who do reach it can be redirected away after the first query). > However, because like SRV, it puts the application > port and scheme in the leading labels of the owner name, it inherits > some of the same limitations of SRV that Jan Vcelak pointed out > recently, such as inability to support wildcards. I don't know how > widespread such usage is, and whether that would be a blocker for > adoption of this approach. There's probably a lesson in there > about the fact that encoding application semantics in DNS labels > limits the flexibility of the DNS protocol, and that perhaps we > should have found another way to do these kinds of things. > > It's also noteworthy that it doesn't address the latency critique > of SRV records, because it has the same issue. > I think this is not correct, exactly. It's true that getting an ALTSVC takes about the same amount of time as getting an SRV, but there's a crucial difference: the client does not have to wait for the ALTSVC response before initiating the connection. Alt-Svc is defined as an optional optimization, not a requirement on clients or servers. A client can choose to wait for the ALTSVC response before initiating a connection, but clients are not required to do so. Since some web folks > are nevertheless interested in this approach, perhaps they have > warmed up to the idea of incurring some additional latency to resolve > site addresses. And it is in fact a latency improvement over RFC7838, > which incurs the additional cost of a HTTPS conversation with the > origin server looked up through simple address records > Just to clarify, this is true in some sense, but the "latency" in question doesn't delay the response to the user's initial query. Rather, increased "latency" means a longer time before the user is redirected to a preferred server. The user can continue to make queries to the default server before and during this redirection. - that's > actually way worse than SRV also. > > If a DNS resolver wanted to proactively fetch the address records of > the target hosts (or if we wanted to specify additional section > processing requirements for such), it is also a bit more complex > than SRV - because the resolver now has to parse a potentially > complex text string to pull out a presentation format name, in > comparison to SRV, where it could just pluck out a wire format name > from a known and fixed position. > This is true. However, an Alt-Svc value can contain an IP address target (not just a hostname), so there is less need for this kind of processing. My expectation is that generic DNS servers should never have to parse ALTSVC values. Personally, the name ALTSVC is too generic for my tastes. This appears > to be HTTP specific in my reading of the draft and its title, and not > generic. Or more specifically HTTPS specific, since it is defined in terms > of TLS APNs. But maybe HTTP being one of the dominant application > protocols gets to squat on generic names. I would have preferred > HTTPALTSVC or HALTSVC. > Input welcome, especially on the HTTPBIS WG list. Personally, I think ALTSVC is actually extremely generic. Because the protocol and value are opaque to DNS, non-HTTP protocols could adopt ALTSVC, and even choose an incompatible value format, without any change to existing systems. Of course, even if this approach is adopted and implemented, we'll still > have to maintain the variety of apex redirection hacks for many years until > the long tail disappears. But we have to start somewhere. > > I'd be interested in finding out how widespread support for this approach > is in the HTTP community. > > Shumon. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- Re: [DNSOP] HTTP dns-alt-svc draft Shumon Huque
- Re: [DNSOP] HTTP dns-alt-svc draft Ben Schwartz
- Re: [DNSOP] HTTP dns-alt-svc draft Ben Schwartz
- Re: [DNSOP] HTTP dns-alt-svc draft Shumon Huque
- [DNSOP] HTTP dns-alt-svc draft Shumon Huque
- Re: [DNSOP] HTTP dns-alt-svc draft Shumon Huque