Re: [DNSOP] Comments on draft-ietf-dnsop-svcb-httpssvc-02

[Eric Orth <ericorth@google.com>]

On Mon, Apr 20, 2020 at 7:39 PM Ben Schwartz <bemasc=
40google.com@dmarc.ietf.org> wrote:

>
>
> On Mon, Apr 20, 2020 at 7:30 PM Eric Orth <ericorth=
> 40google..com@dmarc.ietf.org <40google.com@dmarc.ietf.org>> wrote:
>
>>
>>
>> On Fri, Apr 17, 2020 at 6:20 AM Alessandro Ghedini <alessandro@ghedini.me>
>> wrote:
>>
>>> Hello,
>>>
>>> First off, I have started implementing support for SVCB and HTTPSSVC as
>>> part of
>>> the dnspython library [0] and I'd be interested in doing some interop
>>> testing
>>> with other people's implementations.
>>>
>>> I also have a few comments/questions about the draft, apologies if they
>>> have
>>> already been discussed in the past (haven't been following the draft
>>> from the
>>> start).
>>>
>>> 1. For interop testing purposes it would be very helpful if the draft
>>> listed
>>> commonly agreed upon code-points for the new RR types. Ideally in the
>>> form of an
>>> official early assignment from IANA, but if that's not possible picking
>>> a couple
>>> of codepoints at random from the "private use" range would also be
>>> helpful. In
>>> my implementation I'm currently using "65481" for SVCB and "65482" for
>>> HTTPSSVC.
>>>
>>> 2. The structure of the draft is a bit odd, as it lists a bunch of
>>> examples
>>> before introducing any of the records. This was a bit confusing to me,
>>> so I'd
>>> suggest moving sections 1.5 and 1.6 _before_ the examples (that is,
>>> immediately
>>> after the introduction). It might also be a good idea to just move the
>>> examples
>>> to an Appendix instead.
>>>
>>> 3. Would it make sense to move the ESNI/ECHO config paramenter to the
>>> ESNI/ECHO
>>> draft instead? This way the DNS draft wouldn't need to depend on the
>>> ESNI draft
>>> (so e.g. if ESNI ends up taking longer, this draft could be published
>>> without
>>> having to wait for it).
>>>
>>> 4. What is the point of differentiating between AliasForm and
>>> ServiceForm? Like,
>>> couldn't the draft just say that the SvcFieldValue is an optional field
>>> and be
>>> done with that? It seems like not having to explicitly differentiate the
>>> two
>>> cases would simplify the draft a bit without sacrificing much, though I
>>> might
>>> be missing something.
>>>
>>
>> I think the stronger distinction makes it easier to describe the required
>> behavior differences.  Much simpler to just say things like don't mix both
>> forms in the same response, and to ignore non-alias if any aliases are
>> present, than to make more detailed descriptions about what specific
>> optional contents are allowed to be mixed or not to accomplish the same
>> thing.
>>
>>
>>>
>>> 5. Section 2.1.1 says
>>>
>>>    The presentation format for SvcFieldValue is a whitespace-separated
>>>    list of elements representing a key-value pair, with an absent value
>>>    or "=" indicating an empty value.
>>>
>>> It took me longer than I'd like to admit to understand the "with an
>>> absent value
>>> or "=" indicating an empty value" part. I'd suggest rewording that
>>> paragraph to
>>> something like:
>>>
>>>    The presentation format for SvcFieldValue is a whitespace-separated
>>> list of
>>>    key=value pairs (e.g. "key123=value1 keys456=value2"). When the
>>> value, or
>>>    both the value and the "=" are omitted, the value should be
>>> interpreted as
>>>    being empty.
>>>
>>> Or something better :)
>>>
>>> 6. In Section 2.2 it says (in reference to param field values):
>>>
>>>    o  an octet string of the length defined by the previous field.
>>>
>>> It might be good to say here that the format of this octet string is
>>> defined
>>> according to the corresponding SvcParamKey, and then reference section 6
>>> for
>>> ths currently defined keys. The same applies for section 2.1.1 for the
>>> presentation format.
>>>
>>> 7. Section 4.3 says:
>>>
>>>    All DNS servers SHOULD treat the SvcParam portion of the SVCB RR...
>>>
>>> Should it be SvcFieldValue instead of SvcParam? "SvcParam" is not
>>> mentioned
>>> anywhere else.
>>>
>>> 8. Maybe I'm missing something, but the following sentence in Section
>>> 6...4 seems
>>> wrong:
>>>
>>>    When SvcDomainName is ".", server operators SHOULD NOT include these
>>> hints,
>>>    because they are unlikely to convey any performance benefit.
>>>
>>> My understanding is that ipv4hint and ipv6hint are the way to solve the
>>> ESNI
>>> multi-CDN problem, so let's say I have "www.example.net" that CNAMEs to
>>> both
>>> "cname.cdn-a.example" and "cname.cdn-b.example". A client queries both A
>>> and
>>> HTTPSVC concurrently for "www.example.net", and receives two answers
>>> (the answer
>>> to the A query points to CDN A, while the answer to HTTPSSVC points to
>>> CDN B):
>>>
>>>     www.xample.net      3600 IN CNAME cname.cdn-a.example
>>>     cname.cdn-a.example 3600 IN A 192.0.2.1
>>>
>>> and
>>>
>>>     www.xample.net      3600 IN CNAME cname.cdn-b.example
>>>     cname.cdn-b.example 3600 IN HTTPSSVC 1 . alpn=h3 esniconfig="..."
>>>
>>> My understanding is that in this case the client could end up connecting
>>> to
>>> 192.0.2.1 (CDN A) with CDN B's ESNI config (or e.g. with the wrong
>>> ALPN). So if
>>> the server doesn't provide IP hints there would indeed be impact on
>>> performance
>>> because the client would just straight up fail to connect initially
>>> (e.g. maybe
>>> CDN A doesn't support HTTP/3, but CDN B's HTTPSSVC says the client can
>>> use it,
>>> or just because of the wrong ESNI config).
>>>
>>> Long story short, I don't think the text should discourage setting
>>> ipv4hint and
>>> ipv6hint here. I get that it's SHOULD NOT and not MUST NOT, but it's
>>> pretty
>>> confusing nevertheless.
>>>
>>
>> I don't think the hints are intended for this problem.  I think the
>> general design idea is that A/AAAA are the definitive address results for a
>> given name, and clients can just optionally shortcut querying A/AAAA if
>> given hints.
>>
>> In your example, I believe the "." HTTPSSVC entry indicates that the
>> A/AAAA addresses for "cname.cdn-b.example" should be used, so it doesn't
>> seem like there is a multi-CDN problem.  The correct addresses for the
>> correct CDN are used.
>>
>> But I think this might point out a potential problem with skipping hints
>> for "." results.  If the HTTPSSVC result passes through a CNAME, a
>> non-HTTPSSVC-supporting recurssive will handle the CNAME, but not lookup
>> A/AAAA for the HTTPSSVC.
>>
>
> I don't think this can happen.  Any CNAME that affects HTTPSSVC will also
> affect the corresponding A/AAAA queries, which are always issued
> simultaneously and to the same QNAME.
>

alessandro@'s case was for multiple CNAME's and a recursive with behavior
that could follow those in different directions for the different
requests.  Not technically legal, but the more important question here is
whether or not significant instances behave in this non-standard way.  If
they do, this will lead to a situation where hints would be beneficial even
for "." records.

So does anybody know how common such non-standard behavior is? My 5-minute
research says that some versions of BIND allow round-robin between multiple
CNAME records.


>
>
>>   So the client gets an HTTPSSVC result for cname.cdn-b.example but only
>> queried A/AAAA for www.xample.net, so without hints, the client will
>> have to do an extra set of A/AAAA queries for cname..cdn-b.example.
>>
>>
>>>
>>> 9. Speaking of multi-CDN, AFAICT the problem is mentioned only once in
>>> the whole
>>> draft and only in relation to ESNI. However this is not ESNI-specific
>>> and also
>>> affects e.g. HTTP/3 as per the example above. So I think it would be
>>> useful to
>>> go into a little more detail on this.
>>>
>>> 10. Section B.2: s/pther/other/
>>>
>>> Cheers
>>>
>>> [0] https://github.com/rthalley/dnspython/pull/452
>>>
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>