IETF Logo Mail Archive

Re: [DNSOP] [Ext] Questions / concerns with draft-ietf-dnsop-svcb-https (in RFC Editor queue)

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 08 September 2022 03:29 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A8BCC15338F for <dnsop@ietfa.amsl.com>; Wed, 7 Sep 2022 20:29:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iZ2puaBjSh_l for <dnsop@ietfa.amsl.com>; Wed, 7 Sep 2022 20:29:24 -0700 (PDT)
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DF64C14CE22 for <dnsop@ietf.org>; Wed, 7 Sep 2022 20:29:24 -0700 (PDT)
Received: by mail-pj1-x1033.google.com with SMTP id q9-20020a17090a178900b0020265d92ae3so948091pja.5 for <dnsop@ietf.org>; Wed, 07 Sep 2022 20:29:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=cmoWgAjOlW4oF5j64EjKSJ/2XLDSMU3eCv54Wj95UwI=; b=PbIYXCx6Ps1yD/fulWWTB10TkINby12dDP8XUSF7KuYeO8SB5RC3pm2I2PG1ytVWQN 1Rb8HkGTbTZPTTJnOO+eHnsdhlXEDsPDeSAfr8vsoViHnxAoR1G0iJL/MTyGPWbkJDV8 5sml12a63L/8RhegyVIH58rGw86GbaMFa0VoyPWF0mk3R5AHYqmI+9kBPDJT0ETXclwg F2vKAauCV4KujdFwSYkzl8MA2xXVxMizaLZPf3pQP/qQ7DwKTLF8jG0cceo4yBDCZ4zK rkQhX3/dVEBtF6Tpmto4t2cqOlQ8CexxiXnRK0OzykdWjFIInhTdBYjrfaGIHz1oPMGy HSqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=cmoWgAjOlW4oF5j64EjKSJ/2XLDSMU3eCv54Wj95UwI=; b=eO8v2El1kfAJHbfYMjhMPErgN8BMoynAA2ryBySqYDSM6K+Zc9cT+4GTgxRKWf34Vi xMLHbwU4yKgjF6vXD9g4xTJvmaW1tC5MtmUGPapE9gdz2Udf42LdmVZ1b1MjhBUDCl/a SzTqbbZ4UBii6hupYOHLvVnWJErYVCO+r8+A7Suqa40bPNjw1ZVaDnTCAOAAaPkKYOs4 M3GLCgpxOWto7a2kvY4m85mCrsZV2ya9LzlUwFIIoW0H6VPVAMgBIaG1DfcPYil/M8yv YJpWpwYYbi1Uq56b3JhcaZ06pxRvf0fsbG754yCxw/M1PJtHgCYomB8JCjuO3fsOjERH OlRg==
X-Gm-Message-State: ACgBeo2P1IDrog4hIcapv0gVDsjesZdWqYQPqJCbZcYKVbSqzrb357aV xLujACLIQQdbRBNaeRI0n64zWY8Y0z8J/BxqUnfHpbiz
X-Google-Smtp-Source: AA6agR6bJL2wL2PwcLww2cV8vhj92vO2VczJRWtd0r3dIlmGf9qZfPpJgDMSBC6k1/5bsbQE3aRlJMufA0V54l8QE4Q=
X-Received: by 2002:a17:902:d482:b0:176:ca6b:ea8e with SMTP id c2-20020a170902d48200b00176ca6bea8emr6737560plg.26.1662607763344; Wed, 07 Sep 2022 20:29:23 -0700 (PDT)
MIME-Version: 1.0
References: <CAH1iCiqzeZORDmbE+XMs1wt6YZKYFZWnsnrvN8fbLHpFXEfDfw@mail.gmail.com> <CAHbrMsDSbDapPFFfhU1iyi5BpEjb8NA7WXz+1pu78dGnuVkNzg@mail.gmail.com> <CAH1iCiojyT47nvNqeCkz8X4ueY0y_fp11BNEoV6WMuWx639_Dg@mail.gmail.com> <CAH1iCipRjnvs71iiK1aaMKj98P65-NqKSL4+XfmMA_MsU9_JNg@mail.gmail.com> <CAHw9_iJg7yTECPbPvSNxac21My4SqPjMjhYS4tFRWBzFmjkLjg@mail.gmail.com> <CAH1iCipoo2u2h8XtJp8iwrg-bonMC785RehC3bVzbMKaLv+Kpg@mail.gmail.com> <0203FD85-487D-4B64-88BF-818B5BE0BC70@apple.com> <CAHbrMsCZSkakKvnxTsqQ0JmywNAHwVC1DyN0aVJ72sH7fgy6pA@mail.gmail.com> <CAHw9_iLNSnwUyZomkQ49Czhk-evy1Z4LjL7CfVhP7EFvZpBh5A@mail.gmail.com> <Yxk1Iikv8XazQa7o@straasha.imrryr.org> <Yxk7ycs0274UMSSh@straasha.imrryr.org> <0A4F52A8-378F-4222-9E5A-041A82E97C79@icann.org>
In-Reply-To: <0A4F52A8-378F-4222-9E5A-041A82E97C79@icann.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 07 Sep 2022 20:29:11 -0700
Message-ID: <CAH1iCiriUcqprYj+LJGoo40o-dRsYyGmOFU_6VWbTXBt8+xnJw@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000022907605e82209f1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uAU87SrIPOD7YPibqpcGoWMiBZI>
Subject: Re: [DNSOP] [Ext] Questions / concerns with draft-ietf-dnsop-svcb-https (in RFC Editor queue)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2022 03:29:24 -0000

On Wed, Sep 7, 2022 at 7:41 PM Paul Hoffman <paul.hoffman@icann.org> wrote:

> On Sep 7, 2022, at 5:48 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
> wrote:
> > Once SVCB resolution has concluded, whether successful or not,
> > +if at least one AliasMode record was processed,
> > SVCB-optional clients SHALL append to the priority list an
> > endpoint consisting of the final value of $QNAME, the authority
> > endpoint's port number, and no SvcParams.  (This endpoint will be
> > attempted before falling back to non-SVCB connection modes.  This
> ensures that
> > SVCB-optional clients will make use of an AliasMode record whose
> TargetName has
> > A and/or AAAA records but no SVCB records.)
>
> What happens under the current wording, before the addition above? That
> is, if no AliasMode record was processed, is the addition along the lines
> of "you can only add this if you have it, and if no AliasMode record was
> processed, you don't have it"? Or does the addition solve the problem "if
> no AliasMode record was processed, the thing you append will be harmful"?
>

Yes.

If no AliasMode record was processed, then $QNAME would be the origin name
PLUS the prefix(es) of type attrleaf ( underscore thingies). Those won't be
legitimate A/AAAA owner names (and shouldn't exist), and if a client did
that it would be harmful (to the client), at least a little bit harmful
(trying something that won't work.)

If instead of the initial $QNAME, the origin name (and port) are added to
the end of the list, that is literally the exact same thing as non-SVCB
connection mode, so adding that to the list would be moot.

Brian

v2.23.0 | Report a Bug | By Email