Re: [DNSOP] Minimum viable ANAME

Ben Schwartz <bemasc@google.com> Wed, 07 November 2018 05:54 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDB07130DD9 for <dnsop@ietfa.amsl.com>; Tue, 6 Nov 2018 21:54:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.501
X-Spam-Level:
X-Spam-Status: No, score=-17.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EK7540O2QMKs for <dnsop@ietfa.amsl.com>; Tue, 6 Nov 2018 21:54:15 -0800 (PST)
Received: from mail-it1-x136.google.com (mail-it1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6252127333 for <dnsop@ietf.org>; Tue, 6 Nov 2018 21:54:14 -0800 (PST)
Received: by mail-it1-x136.google.com with SMTP id d6so21352729itl.4 for <dnsop@ietf.org>; Tue, 06 Nov 2018 21:54:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9ZSVSlDwT3YWgpIhQEPJQszMBJSerN8V5ewIIvmRHxE=; b=uG/2eFBAG04WaIxPi+5HMuNrJdOw/+TJrlw/qZfvqF64fzm+gmVWeVdVCdkf+O5jp9 Yvx4GCEPzCBWBjIwZQctir10FmIYQTSQtyg3DoD+7JJP7DO9ka5MGTvDJg1OOrNRhtMH ZblYvzGgQsh1AENXJFeXMf1kpdtHTKnqvFoLw+4Vtz8Vl+qw30UVKEW6LfHIwrQGKdfH tm2dixcCq9UgF22e9AJ8Dn1Xmq923JvgANYo4m4Wa4v68ZFIETR+POkSbpZrW6TpDybH ixg4Xpt96KF6qPb9m43Ha7JOl006l0prHwCEy1bS/vXS6RPkwM4kk7Z9cxPsZBVM8X+F b8RA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9ZSVSlDwT3YWgpIhQEPJQszMBJSerN8V5ewIIvmRHxE=; b=EnrGWAuaFeOWeoJCaUMrAw3bRYY4OvF8dd3Rz8vdE9BAatpB/stR4XO1ts15+vVtgX dxV1TPeMZvXjRfh91R6yo1gKX7kH93KNqqUQBJrUs/3SlWt6tQoeJnaL5Treqn4xFdNL JIci8v/6Km8jimZuhiYge3scleGihmZH4N4aRB6+Lt0jykqr3HhEUvzGHR3YZulPnOyk ELE7h7QtTJdXOIY1r8At7G0ajW3vkGYUU23mSm8PpjyxKaDpQR91IOqnTyGZ5ahudz/q KItXNelQ498hPTOp37Kl5QfsdstcRwvVyjzVjRbBcZurS2Sxx9uyJp+SPifp6RE0IYYF ffiw==
X-Gm-Message-State: AGRZ1gKnBIZAEDCpB/vZH0Z+dBH4cwxEBQsNhb8E8QOzGRkXWnWEqAE4 XSI+YnKwIHFIFrbS6Mz6iRoC62E1b4ltbfebL0d9og==
X-Google-Smtp-Source: AJdET5duwCBm5Gqp1V/0T64Wl4+z7EEL0MwQhC7eSJTUedwJkCT1oZdy8F9T23KfV5nA1Gtq9K4HN6XugDr11GeBnbM=
X-Received: by 2002:a05:660c:284:: with SMTP id s4mr719567itl.162.1541570053760; Tue, 06 Nov 2018 21:54:13 -0800 (PST)
MIME-Version: 1.0
References: <201809211811.w8LIBdLA021837@atl4mhob20.registeredsite.com> <fdee6f3f-dd86-b482-5263-eb8e2a21bcb7@bellis.me.uk> <CAKC-DJi=Afer4uKprMf-uaNB07MVY-XJ+etocntY0BbU1bXYrg@mail.gmail.com> <CAHbrMsATrpdgP6PN2DSAjf+Nj7ZMywPu=FiGMzxjvoOm5ab2OA@mail.gmail.com> <F508AFA8-6611-4553-97AA-2A38A7F28691@isc.org> <CAHbrMsDXBJF1ieOx4H-zgCQp7SursR7q_25i99njp6m0McLg3Q@mail.gmail.com> <CFCB645C-ED49-457A-BB16-12987C87EE9F@isc.org>
In-Reply-To: <CFCB645C-ED49-457A-BB16-12987C87EE9F@isc.org>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 7 Nov 2018 00:54:00 -0500
Message-ID: <CAHbrMsAGJrzX5q5yVhn9JWbbgXeL3odNJyNe2HsvVrQcr7RCBw@mail.gmail.com>
To: marka@isc.org
Cc: Erik Nygren <erik+ietf@nygren.org>, dnsop@ietf.org, Ray Bellis <ray@bellis.me.uk>, "Bishop, Mike" <mbishop@akamai.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="0000000000007d6a90057a0cbf00"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ozPrNWNmyrad22AbSYN0rQaPCjk>
Subject: Re: [DNSOP] Minimum viable ANAME
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 05:54:19 -0000

On Tue, Nov 6, 2018 at 5:53 PM Mark Andrews <marka@isc.org>; wrote:

>
>
> > On 7 Nov 2018, at 9:25 am, Ben Schwartz <bemasc@google.com>; wrote:
> >
> >
> >
> > On Tue, Nov 6, 2018 at 5:06 PM Mark Andrews <marka@isc.org>; wrote:
> >
> >
> > > On 6 Nov 2018, at 5:27 am, Ben Schwartz <bemasc=
> 40google.com@dmarc.ietf.org>; wrote:
> > >
> > > On Sat, Nov 3, 2018 at 4:12 PM Erik Nygren <erik+ietf@nygren.org>;
> wrote:
> > > How does draft-schwartz-httpbis-dns-alt-svc-02 with some changes to
> make it more DNS-aligned (e.g. the name as a separate field in the record)
> not help here?
> > >
> > > Thanks for mentioning DNS-Alt-Svc, Erik.
> > >
> > > Compared to URI or the proposed HTTP record, one thing that's
> different about DNS-Alt-Svc is that Alt-Svc is always optional, as
> currently defined, and DNS-Alt-Svc inherits those semantics.  That means
> servers have to be prepared for some users to ignore the ALTSVC record, so
> the apex would still need AAAA records.
> >
> > The publishing or the lookup?
> >
> > Both.  Most web servers don't make use of Alt-Svc, and browsers are
> under no obligation to respect it (and indeed many don't).  It's strictly
> an optimization, and everything still has to work correctly without it.
>
> HTTP is optional to be published.  For HTTP to a solution to name to
> server mapping in the DNS it needs to be looked up by clients and ALTSRV
> would also need to be looked up clients at the time
> A and AAAA records are being looked up.  Say it wouldn't is being
> disingenuous.  Legacy clients wouldn’t look it up.
>

HTTP as proposed isn't useful to site operators until it's deployed in all
(their relevant) clients.  HTTP as proposed isn't useful to clients until
there are servers that don't work without it.  This is essentially the same
deadlock as with SRV, and IMHO it's the main reason we haven't made any
progress on this topic.

It seems you're proposing that clients should implement this unilaterally
now, with the expectation that servers will eventually start to depend on
it, N years from now when client support is universal.  I think this is
unlikely to happen.  By my estimate, this proposal would ask browser
vendors to waste quadrillions of DNS queries over the next few years,
waiting for a critical mass that may never arrive, in order to achieve a
goal with no apparent benefit to the user.  If Browser A (X% of users)
implements this feature, and Browser B (Y > 5% of users) never implements
it, then most websites can never rely on it, and Browser A incurs an
ongoing cost for no benefit to anyone.

Perhaps all the browser vendors will get on board, but if history is any
guide, most will not, and even one holdout torpedoes the whole project.
(Also, browsers simply _can't_ implement it if they do DNS through POSIX
libc, as many browsers traditionally have done.)


> > > Being optional may seem like a deficiency for this application, but I
> now think it's actually the best we can do as a first step.  If we start
> with an optional record type that offers added value (e.g. performance,
> privacy, or security), then both client vendors and server operators have a
> reason to invest in deployment.  Once it's widely deployed, then we can
> imagine simplified architectures that rely on the new record type, starting
> with servers that don't need to support legacy clients.
> > >
> > > I think it's reasonable to have a roadmap to a full transformation of
> the DNS architecture for HTTP, but every step along the roadmap ought to
> have clear net benefit to each participating party.  This seems to require
> a design more or less like DNS Alt-Svc, where the additional indirection is
> coupled to other improvements for HTTP.
> > >
> > >   It comes from the HTTP world and is aligned with the existing AltSvc
> feature and thus is useful in other ways (such as perhaps solving the DNS
> deployabilty issues for encrypted SNI):
> > >
> > > https://tools.ietf.org/html/draft-schwartz-httpbis-dns-alt-svc-02
> >
> >
> > What are the rules for populating the additional section of a response?
> >
> > The DNS Alt-Svc draft currently doesn't cover this, but I would
> definitely be interested to hear suggestions.  Since support is optional,
> the draft focuses on the RFC 3597 opaque record process, but we can
> certainly consider further optimizations that would be possible in
> ALTSVC-aware DNS servers.
> >
> > It looks like nameservers will have to split the rdata up on commas the
> look for protocol-id=value pair at the start of comma separated field.
> Then look for the :port and remove it from value.
> > then look to see if there was a host specified and if so lookup up that
> name.
> >
> > Wouldn’t be better to pre-parse the fields in the record?
> >
> > [<len><id-len><id><host><port>[<name-len><name><value-len><value]*]{1+}
> >
> > where host is in DNS wire format and . (00) is used for a empty host
> field in the alt-srv record?
> >
> > Libraries can reconvert this to textual format if that makes it easier
> for a browser though
> > you may as well use it in structured format.
> >
> > I'm fine with minor alterations to the syntax, but I'm not convinced
> that it's important.  Parsing the contents is optional (per RFC 3597), and
> writing a parser is trivial (as you've described).
>
> Given lots of browser people complained that SRV would require two round
> trips to the recursive server not describing how to populate the additional
> section would seem to be a non-starter.
>

DNS Alt-Svc as specified can be done without blocking the page load
critical path, so it doesn't add latency.  However, I agree that we would
want an approved way to populate the Additional section before asking
browsers to block pageload on an ALTSVC query.


> Having to re-parse the record every time you serve it also seem like a big
> waste of resources so
> no it really isn’t a minor alteration from the DNS side.
>

In the architecture you're describing, each ALTSVC record would only need
to be parsed once, when it arrives over the network.  I do not believe that
this kind of parsing represents a significant cost: throughput will be
network-limited before it is limited by this parsing step.

> Open-source parsers are widely available (e.g. from open-source
> browsers).  To avoid ossification, we'd need to have confidence that any
> deviations from the HTTP Alt-Svc syntax are losslessly interconvertible and
> future-proof, which is a high bar.
>
> If you extend the syntax such that a parser to the binary format above
> breaks request a new type
> and start using it.
>

This will not work with DNS Alt-Svc, which is specified as a transparent
pass-through for the HTTP Alt-Svc field value.  Even if we relax that
requirement, adding new RRTYPEs would create increasing overhead and
complexity, requiring clients to issue a query for every revision of the
ALTSVC RRTYPE on every connection initiation.


>
> > > - Erik
> > >
> > >
> > >
> > > On Sun, Sep 23, 2018, 10:41 AM Ray Bellis <ray@bellis.me.uk wrote:
> > > On 21/09/2018 19:11, JW wrote:
> > >
> > > > I also feel from this discussion, we are all roughly on the same
> page.
> > > > We want SRV as the long term solution ...
> > >
> > > except that we heard at the side meeting in Montreal (albeit from
> > > browser people rather than content people) that they *don't* want SRV,
> > > because it has fields that are not compatible with the web security
> model.
> > >
> > > I still want to define a new RR that does have mutually agreed
> semantics
> > > that's specifically for use by HTTP(s), but so far no takers.
> > >
> > > Ray
> > >
> > > _______________________________________________
> > > DNSOP mailing list
> > > DNSOP@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dnsop
> > > _______________________________________________
> > > DNSOP mailing list
> > > DNSOP@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dnsop
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>
>