Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
Tim Wicinski <tjw.ietf@gmail.com> Thu, 23 July 2020 01:31 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD0D83A0AF1 for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 18:31:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6eJMZlohtmdw for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 18:31:46 -0700 (PDT)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEE2C3A096B for <dnsop@ietf.org>; Wed, 22 Jul 2020 18:31:45 -0700 (PDT)
Received: by mail-ot1-x32a.google.com with SMTP id 95so3237042otw.10 for <dnsop@ietf.org>; Wed, 22 Jul 2020 18:31:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vhTODfnt24A0mmi8nVyfw2H1nqBy0lDCxu6MbSj+h7A=; b=DSpJSXc/8BsPvXtgUgjGTPs05ffJR9sxWUyGmuWRMz+LyTxFiIGoA81c62oDDJUcdX iqXlO9YjBHrxrgtbCr9Dj6D6Lgkl29LSSYmDka3jv75nlC502/X4pMjNPkh9dplVNq34 LINfJurUYsJZ9yjXVfb8kkOAZGK3X4Mok84wY0gle40ULcRPzEAuiBMI/1X+RoxbaA8p +6yBhRmo+hl6dCkMFiCPxIX2mwqqjuWleP7Q/sJnHpjDthlB3C5BOiZ0AEJLSOxjg6mp NL+xdlO2E+Gu91quJjguZjGpe+2mUDZQHQdE6u3C25qKPzFGcsbiEX+7Ba7nQ0fP3XDH zCMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vhTODfnt24A0mmi8nVyfw2H1nqBy0lDCxu6MbSj+h7A=; b=YoXqXn7h02woF08l3WyMt3SBtUH9DtUZe5rBKS3/DkJjNGBE223+FTTx22/erWXMhR GsYUJy6aHvwnbNlFz8UgtwgDtRLQVL4klvx0oKfB/didmD+X7CFNPTNPl9kCEI+6zO04 1FkXBb+UoNbV8/eAnMOUaNo703YzkbguVhGYOIcT/TTgT8DKevi9WLCNPoUxcYUE5cZn NOV+1iWPEr0d+npbEua0Nx5+sCEjOyWrwNv+0Dcp7SnaaCAu55+FI1x3zqv7Q1khU8FC j++JL8SE521POlQjMaCfHwU9ioTb5D1Yk2M/RgM+6/gn7A9906R6cpqy55byUISJOAu0 y+cw==
X-Gm-Message-State: AOAM531P+XVjuDYo40NmX0CF802673ZYmir7qonT1hd5x0ld+vWf/I0q 1ckq6gSRCzXqFnxli7/x//FDXa4odQjtZBNLHcC0oPu8aPA=
X-Google-Smtp-Source: ABdhPJxinzwbyPdV/M2quAbub65Pr8DgFQgy2uSzle1xK/B2ADdvruaToRr0gtxga4BVqvRZKWM1tFit8+oIlGaSuGw=
X-Received: by 2002:a05:6830:3141:: with SMTP id c1mr2287958ots.41.1595467905158; Wed, 22 Jul 2020 18:31:45 -0700 (PDT)
MIME-Version: 1.0
References: <20200716151356.GA60024@wakko.flat11.house> <9975DA88-525A-4FC3-9517-70E128A4776D@akamai.com> <099D8D6A-FBBD-4A5A-B1A9-C67CF83DD3DF@apple.com> <E5679D36-1C01-4534-BDFA-836B1FD5A33D@akamai.com>
In-Reply-To: <E5679D36-1C01-4534-BDFA-836B1FD5A33D@akamai.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Wed, 22 Jul 2020 21:31:34 -0400
Message-ID: <CADyWQ+GZX3K-Uh5BrRoLZeHwFJNLcubVb66pyOy73fhfeSL36Q@mail.gmail.com>
To: "Wellington, Brian" <bwelling=40akamai.com@dmarc.ietf.org>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Alessandro Ghedini <alessandro@ghedini.me>
Content-Type: multipart/alternative; boundary="000000000000bcd07805ab11d1ae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uDYGXBFuLoBe2LxWenk-aiK-LLs>
Subject: Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 01:31:48 -0000
Brian I agree on clarity, and their git repo has been more recently updated. I've been poking the authors on some better examples in the spec as well. https://github.com/MikeBishop/dns-alt-svc On Wed, Jul 22, 2020 at 9:20 PM Wellington, Brian <bwelling= 40akamai.com@dmarc.ietf.org> wrote: > ok. So, what this means is that keys listed in the “mandatory” parameter > must be included as parameters, and are required to be understood by > clients. The set of “automatically mandatory” keys are required to be > understood by clients, but are not required in the RR. > > I’m a native English speaker, and have been working with DNS for over 20 > years. If I’m having trouble understanding this, perhaps the spec should > be a bit clearer. > > Brian > > On Jul 22, 2020, at 5:56 PM, Tommy Pauly < > tpauly=40apple.com@dmarc.ietf.org> wrote: > > > > On Jul 22, 2020, at 5:46 PM, Wellington, Brian < > bwelling=40akamai.com@dmarc.ietf.org> wrote: > > I attempted to start implementing support for SVCB and HTTPS, and > discovered that the data being served by Cloudflare does not conform to the > current spec. > > > Assuming my decoder is correct, the response below decodes to: > > 1 . alpn=h3-29,h3-28,h3-27,h2 echconfig=aBIaLmgSGy4= > ipv6hint=2606:4700::6812:1a2e,2606:4700::6812:1b2e > > and does not include a “mandatory” parameter. But section 6.5 of > draft-ietf-dnsop-svcb-https, which is talking about the “mandatory” key, > says: > > This SvcParamKey is always automatically mandatory, > > which implies that there MUST be a “mandatory” parameter. Is this an > oversight in the Cloudflare implementation, or is the Cloudflare > implementation not implementing the current version? > > > The Cloudflare record does conform correctly. > > The “mandatory” key does NOT need to be included. "automatically > mandatory” keys do not need to be included. Mandatory just indicates which > non-automatically-mandatory keys included in the record are required to be > understood by clients, or else clients should reject them. > > Thanks, > Tommy > > > Thanks, > Brian > > On Jul 16, 2020, at 8:13 AM, Alessandro Ghedini <alessandro@ghedini.me> > wrote: > > Hello, > > Just a quick note that we have started serving "HTTPS" DNS records from > Cloudflare's authoritative DNS servers. Our main use-case right now is > advertising HTTP/3 support for those customers that enabled that feature > (in > addition to using Alt-Svc HTTP headers). > > If anyone is interested in trying this out you can query pretty much all > domains > served by Cloudflare DNS for which we terminate HTTP. > > For example: > > % dig blog.cloudflare.com > <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=> > type65 > > ; <<>> DiG 9.16.4-Debian <<>> blog.cloudflare.com > <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=> > type65 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17291 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;blog.cloudflare.com > <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=> > . IN TYPE65 > > ;; ANSWER SECTION: > blog.cloudflare.com > <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=> > . 300 IN TYPE65 \# 76 > 000100000100150568332D32390568332D32380568332D3237026832 > 0004000868121A2E68121B2E00060020260647000000000000000000 > 68121A2E26064700000000000000000068121B2E > > Cheers > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf..org_mailman_listinfo_dnsop&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=Ei0lUqjTt2OhRnRqJeO1XDCHQqnH1FdINDMcPEhCC1g&s=WQn55KFIZ5LGfsj-QGNSS31WGhpI-GuXpJEmhibwNuo&e= > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=Ei0lUqjTt2OhRnRqJeO1XDCHQqnH1FdINDMcPEhCC1g&s=WQn55KFIZ5LGfsj-QGNSS31WGhpI-GuXpJEmhibwNuo&e=> > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=80-OG9hSCfXT4Zbc93tA5Bd0FdLj0hAknhjLjvAfDww&e=> > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Tim Wicinski
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Wellington, Brian
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Tommy Pauly
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Wellington, Brian
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Tim Wicinski
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Ben Schwartz
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Wellington, Brian
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Wellington, Brian
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Petr Špaček
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Dick Franks
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Brian Dickson
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Jared Mauch
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Ben Schwartz
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Ben Schwartz
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Alessandro Ghedini
- Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS Mark Andrews