Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 11 May 2021 23:13 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 291C83A2A23 for <dnsop@ietfa.amsl.com>; Tue, 11 May 2021 16:13:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qp578Nv4Sx3u for <dnsop@ietfa.amsl.com>; Tue, 11 May 2021 16:13:27 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 949843A2A22 for <dnsop@ietf.org>; Tue, 11 May 2021 16:13:27 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id y9so27248928ljn.6 for <dnsop@ietf.org>; Tue, 11 May 2021 16:13:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WB6OEa34Wtd9J2P6hwkDHR5NObaegYUVmncpi1yXGwE=; b=WkupHuwj4S9VDZIu41K7Ww13Va4I4NpjtwxMxs0AsrLWWaeGQCpS+eT0gOh7yadIzS KeJTr7/eHRpAZmtaYVj36YeweTfwH9ALIgxFg5djfmQJvhtEYbze6tiT4GW97OqR2wlM X8g7gEd8/6Tw3lttNGIYL3CK8LI1ORmlB20sS8bO9SAW9fO/pdazZQ/wMq8NXsF4zmlA k0A/l5p8w+iuIsCfR6ttbs7SOzpGX/oMCjQ8cD6imWEiDUKDfL0F7ogAioq5BwV0f+ha FdWhk5d2/uA55N3Sh4Ss2Yz77G6/NsxlMjrsUym6Hkxp3zbWPUujgEatSp+eN1T6YYq9 ppuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WB6OEa34Wtd9J2P6hwkDHR5NObaegYUVmncpi1yXGwE=; b=kTsEjaaBtQC7b0qHYUZjXSKrM4+Jf17qYFjtLYIeXJJ20YhPW6iYeW7GZLYjW0Bz10 JJbcOClDIb94ACepYEzeclwMvXxoRMr7G18G10LsY/WB1AbG9Octcb2JODtbeaijfMvx X8Im/EXJJAhjxzn6fEsbK+fJbFZXn6ZjmSslP4mvMtm0f7wEcXTVlXOvtrF35CBjs2oJ CeShqOPte3++jxqhRsYrFabJ/ey5aPIYTB1YOlyVKnYEYgNzSQ99UgIDBuR7zgovroYi sz+m1wfC4CiYqPQY7iu8UUNXGcCns06+mRsmeSEdUoxISSeT7K5OGPUVXY6CU74PGDrO OQzQ==
X-Gm-Message-State: AOAM5332nKJ6PL6bA3UK8y8O4geZ3Udjw11Lg09x8+6ZA0zwfgXCOSOg LMaadpwgM7BYTa0OlyihsnL0p9FRfD5++s9KauY=
X-Google-Smtp-Source: ABdhPJzCymqgEhfymYVWS9x5Nbn7HCv+yAKVskRsaowP6OiWGl5kyCIDfKRIoD9LrGh/tRHJg5tjzlLCfM5k4JqS2+s=
X-Received: by 2002:a2e:a492:: with SMTP id h18mr27196254lji.161.1620774804861; Tue, 11 May 2021 16:13:24 -0700 (PDT)
MIME-Version: 1.0
References: <F4CE48A1-7AB0-45D0-97FF-158CE3A04EE1@icann.org> <3EE971EE-0777-44D6-9CD2-771B92FFE938@hopcount.ca> <1d822219-8ab9-2cb7-d0a4-9b8afc39058d@powerdns.com> <2952D408-117B-40D0-B859-7A8E4111629E@hopcount.ca> <CAHbrMsD+uiaYQ8i58VRjF=3AtW9uAoAtgbKzNzrPZC3QCmD2pQ@mail.gmail.com> <CAH1iCirykCpqkQEizYUBYMJEXMYRGkWvnzyo-jP=XOT-4fP-EA@mail.gmail.com> <123fd984-a3e1-0d09-b745-9a7ed6260759@nic.cz> <CAHbrMsCrf8GS3N=HF53X-M0oq09yw_vKGFLU_qA6wt94-+vNXg@mail.gmail.com> <07FE2C2B-10C4-47B0-BFF7-AD8E980A2E26@hopcount.ca> <CAHbrMsB6qGs2QsvYMC9j2ahWAR80gdcsDbgihQiXYXG03OY9qQ@mail.gmail.com> <D72B8D52-50F8-457F-B123-D303F4865557@hopcount.ca> <CAHbrMsDzWjib5zfRpr3hJk4bjXjGAq9Z2pymPoLac9rJZPbWAQ@mail.gmail.com> <CAH1iCipSweK0nv06kLH0EJJD8Khn9kZTqjYLzSzN86mjr0ZQdA@mail.gmail.com> <CAHbrMsC_bjKXXWNdsDDS4jADBG0GNMMgTZCpo3JryLdwQGfbXw@mail.gmail.com> <CAH1iCipTh2iQZ8V=rnfJpomDrMGaMmHMxVs7=YEUYb6CFOAtTg@mail.gmail.com> <CAHbrMsCgG2joydsZ80DLNYP_qNOVKSqWUd_AR7Kop7w_sYBqLA@mail.gmail.com>
In-Reply-To: <CAHbrMsCgG2joydsZ80DLNYP_qNOVKSqWUd_AR7Kop7w_sYBqLA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 11 May 2021 16:13:13 -0700
Message-ID: <CAH1iCipqocx=S_DU4pDKAEfxeBi7in09bR0YZ6FPxAGniWcwaw@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008134d405c2160aa0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sHOlxF0x9p-eSmKzCN7jECL7qos>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 23:13:32 -0000

On Tue, May 11, 2021 at 4:00 PM Ben Schwartz <bemasc@google.com> wrote:

>
>
> On Tue, May 11, 2021 at 3:44 PM Brian Dickson <
> brian.peter.dickson@gmail.com> wrote:
>
>>
>>
>> On Tue, May 11, 2021 at 2:49 PM Ben Schwartz <bemasc@google.com> wrote:
>>
>>>
>>>
>>> On Tue, May 11, 2021 at 2:31 PM Brian Dickson <
>>> brian.peter.dickson@gmail.com> wrote:
>>> ...
>>>
>>>> Another way to put it is, the SvcParameters are actually bound to the
>>>> TargetName, not the owner name of the HTTPS record, and the Web/CDN
>>>> provider is (semantically speaking, not DNS-speaking) "authoritative" for
>>>> those parameters.
>>>>
>>>> Is this accurate?
>>>>
>>>
>>> It sounds like one of the deployment arrangements that is anticipated by
>>> the draft.
>>> ...
>>>
>>>> In the current design, the domain owner needs to, in effect, do a
>>>> copy/paste from each Web/CDN providers' information into the domain owner's
>>>> own DNS zone, including the TargetName and SvcParameters.
>>>>
>>>
>>> No, as you noted, this is definitely a bad idea, and is not required or
>>> recommended in the draft.  Instead, the domain owner should use CNAME and
>>> AliasMode records to alias to an HTTPS ServiceMode record maintained by the
>>> CDN.  See the Examples section (
>>> https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-05.html#name-examples
>>> ).
>>>
>>>
>>
>> I'm maybe confused here... I thought the AliasMode (or CNAME) would only
>> work if there is exactly one CDN provider.
>> What would the domain owner need to do for having two CDN providers, at
>> different Priority levels (or at the same Priority level)?
>>
>
> Multi-CDN support is described here:
> https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-05.html#name-multi-cdn
> It works exactly like multi-CDN works today, juggling multiple CNAMEs to
> avoid copying CDN IPs into the customer zone.
>
> I think a standardized mechanism to simplify management of this
> arrangement might be useful, but it is largely independent of SVCB and can
> be developed separately if there is interest.
>

Okay, so let me ask a (stupid) question:

What is the difference between

foo.example.com HTTPS 0 foo.example.net

and

foo.example.com HTTPS 1 foo.example.net

(and assume there is an HTTPS record at foo.example.net, which is the same
in both of those example cases.)

Brian