IETF Logo Mail Archive

Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS

Tommy Pauly <tpauly@apple.com> Thu, 23 July 2020 00:56 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DDE93A0ABB for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 17:56:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvprqsavveRR for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 17:56:37 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp02.apple.com (ma1-aaemail-dr-lapp02.apple.com [17.171.2.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD6973A0AB7 for <dnsop@ietf.org>; Wed, 22 Jul 2020 17:56:37 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp02.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp02.apple.com (8.16.0.42/8.16.0.42) with SMTP id 06N0nSng047137; Wed, 22 Jul 2020 17:56:32 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=Y2OAi172DlfUzel0S9u5NFYKQ9mzpO8cBYzN04pI/eM=; b=lS84x50iILbcRukNyVkkimsQ1Cs64hK/70OVhv0kirhIMzZXMBFY59It2P2HQnV3bss4 zZaecCnmKDavBDo8zlYDJlUOCxdfm0kH6mx+hS2GZjqfJs/8tgA+0OPcSVnvFovW4Dyx +DSFo4I4gRIe/5kdPE/zrriqDqRBKLKYkyfwdHuvnr/FdZ5QJkMlttjSgruAdoohw8kv 6Wz+6dDna2fMDs5sYmNpp4oLjZae6IHxz7cEa/Q07pYbbZ2JA4mFQ1Ch3EBmEqSQtRLe F4GtXrQ6XSg7ii9bpK5phiuivkSfu7E02ZzCQCjy58LL5uwohWfBF8XhSQ9uITxQQjWt vg==
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by ma1-aaemail-dr-lapp02.apple.com with ESMTP id 32bwrtbdxb-6 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 22 Jul 2020 17:56:32 -0700
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) with ESMTPS id <0QDW00IMRDA412A0@rn-mailsvcp-mta-lapp03.rno.apple.com>; Wed, 22 Jul 2020 17:56:29 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) id <0QDW00M00CT19300@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Wed, 22 Jul 2020 17:56:28 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 79b86a010f9662c73bf15ba841b0b034
X-Va-E-CD: 7ce0787a38f14bc5cf8974836f585ad3
X-Va-R-CD: 1d5d368ed107cdd2f44b4af70807ecba
X-Va-CD: 0
X-Va-ID: a7f248ea-ce2a-4b79-b2a2-9af9066555c3
X-V-A:
X-V-T-CD: 79b86a010f9662c73bf15ba841b0b034
X-V-E-CD: 7ce0787a38f14bc5cf8974836f585ad3
X-V-R-CD: 1d5d368ed107cdd2f44b4af70807ecba
X-V-CD: 0
X-V-ID: bf4a3047-cd84-4718-8a9f-b90e207524d0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-22_17:2020-07-22, 2020-07-22 signatures=0
Received: from [17.234.41.20] (unknown [17.234.41.20]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) with ESMTPSA id <0QDW0071UDA3XL00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Wed, 22 Jul 2020 17:56:28 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <099D8D6A-FBBD-4A5A-B1A9-C67CF83DD3DF@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_4C99E3B0-15A3-4F88-B507-2EE116B7346E"
MIME-version: 1.0 (Mac OS X Mail 13.4 \(3608.80.7.2.3\))
Date: Wed, 22 Jul 2020 17:56:27 -0700
In-reply-to: <9975DA88-525A-4FC3-9517-70E128A4776D@akamai.com>
Cc: Alessandro Ghedini <alessandro@ghedini.me>, "dnsop@ietf.org" <dnsop@ietf.org>
To: "Wellington, Brian" <bwelling=40akamai.com@dmarc.ietf.org>
References: <20200716151356.GA60024@wakko.flat11.house> <9975DA88-525A-4FC3-9517-70E128A4776D@akamai.com>
X-Mailer: Apple Mail (2.3608.80.7.2.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-22_17:2020-07-22, 2020-07-22 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tbquOVEuUy7jkfMFl6rkHBdNqIE>
Subject: Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 00:56:39 -0000


> On Jul 22, 2020, at 5:46 PM, Wellington, Brian <bwelling=40akamai.com@dmarc.ietf.org> wrote:
> 
> I attempted to start implementing support for SVCB and HTTPS, and discovered that the data being served by Cloudflare does not conform to the current spec.
> 
> Assuming my decoder is correct, the response below decodes to:
> 
> 1 . alpn=h3-29,h3-28,h3-27,h2 echconfig=aBIaLmgSGy4= ipv6hint=2606:4700::6812:1a2e,2606:4700::6812:1b2e
> 
> and does not include a “mandatory” parameter.  But section 6.5 of draft-ietf-dnsop-svcb-https, which is talking about the “mandatory” key, says:
> 
> 	This SvcParamKey is always automatically mandatory,
> 
> which implies that there MUST be a “mandatory” parameter.  Is this an oversight in the Cloudflare implementation, or is the Cloudflare implementation not implementing the current version?

The Cloudflare record does conform correctly.

The “mandatory” key does NOT need to be included. "automatically mandatory” keys do not need to be included. Mandatory just indicates which non-automatically-mandatory keys included in the record are required to be understood by clients, or else clients should reject them.

Thanks,
Tommy

> 
> Thanks,
> Brian
> 
>> On Jul 16, 2020, at 8:13 AM, Alessandro Ghedini <alessandro@ghedini.me <mailto:alessandro@ghedini.me>> wrote:
>> 
>> Hello,
>> 
>> Just a quick note that we have started serving "HTTPS" DNS records from
>> Cloudflare's authoritative DNS servers. Our main use-case right now is
>> advertising HTTP/3 support for those customers that enabled that feature (in
>> addition to using Alt-Svc HTTP headers).
>> 
>> If anyone is interested in trying this out you can query pretty much all domains
>> served by Cloudflare DNS for which we terminate HTTP.
>> 
>> For example:
>> 
>>  % dig blog.cloudflare.com type65
>> 
>> ; <<>> DiG 9.16.4-Debian <<>> blog.cloudflare.com type65
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17291
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;blog.cloudflare.com.		IN	TYPE65
>> 
>> ;; ANSWER SECTION:
>> blog.cloudflare.com.	300	IN	TYPE65	\# 76 000100000100150568332D32390568332D32380568332D3237026832 0004000868121A2E68121B2E00060020260647000000000000000000 68121A2E26064700000000000000000068121B2E
>> 
>> Cheers
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=Ei0lUqjTt2OhRnRqJeO1XDCHQqnH1FdINDMcPEhCC1g&s=WQn55KFIZ5LGfsj-QGNSS31WGhpI-GuXpJEmhibwNuo&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=Ei0lUqjTt2OhRnRqJeO1XDCHQqnH1FdINDMcPEhCC1g&s=WQn55KFIZ5LGfsj-QGNSS31WGhpI-GuXpJEmhibwNuo&e=> 
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
> https://www.ietf.org/mailman/listinfo/dnsop <https://www.ietf.org/mailman/listinfo/dnsop>

v2.23.0 | Report a Bug | By Email