IETF Logo Mail Archive

Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS

Tim Wicinski <tjw.ietf@gmail.com> Thu, 23 July 2020 01:31 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD0D83A0AF1 for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 18:31:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6eJMZlohtmdw for <dnsop@ietfa.amsl.com>; Wed, 22 Jul 2020 18:31:46 -0700 (PDT)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEE2C3A096B for <dnsop@ietf.org>; Wed, 22 Jul 2020 18:31:45 -0700 (PDT)
Received: by mail-ot1-x32a.google.com with SMTP id 95so3237042otw.10 for <dnsop@ietf.org>; Wed, 22 Jul 2020 18:31:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vhTODfnt24A0mmi8nVyfw2H1nqBy0lDCxu6MbSj+h7A=; b=DSpJSXc/8BsPvXtgUgjGTPs05ffJR9sxWUyGmuWRMz+LyTxFiIGoA81c62oDDJUcdX iqXlO9YjBHrxrgtbCr9Dj6D6Lgkl29LSSYmDka3jv75nlC502/X4pMjNPkh9dplVNq34 LINfJurUYsJZ9yjXVfb8kkOAZGK3X4Mok84wY0gle40ULcRPzEAuiBMI/1X+RoxbaA8p +6yBhRmo+hl6dCkMFiCPxIX2mwqqjuWleP7Q/sJnHpjDthlB3C5BOiZ0AEJLSOxjg6mp NL+xdlO2E+Gu91quJjguZjGpe+2mUDZQHQdE6u3C25qKPzFGcsbiEX+7Ba7nQ0fP3XDH zCMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vhTODfnt24A0mmi8nVyfw2H1nqBy0lDCxu6MbSj+h7A=; b=YoXqXn7h02woF08l3WyMt3SBtUH9DtUZe5rBKS3/DkJjNGBE223+FTTx22/erWXMhR GsYUJy6aHvwnbNlFz8UgtwgDtRLQVL4klvx0oKfB/didmD+X7CFNPTNPl9kCEI+6zO04 1FkXBb+UoNbV8/eAnMOUaNo703YzkbguVhGYOIcT/TTgT8DKevi9WLCNPoUxcYUE5cZn NOV+1iWPEr0d+npbEua0Nx5+sCEjOyWrwNv+0Dcp7SnaaCAu55+FI1x3zqv7Q1khU8FC j++JL8SE521POlQjMaCfHwU9ioTb5D1Yk2M/RgM+6/gn7A9906R6cpqy55byUISJOAu0 y+cw==
X-Gm-Message-State: AOAM531P+XVjuDYo40NmX0CF802673ZYmir7qonT1hd5x0ld+vWf/I0q 1ckq6gSRCzXqFnxli7/x//FDXa4odQjtZBNLHcC0oPu8aPA=
X-Google-Smtp-Source: ABdhPJxinzwbyPdV/M2quAbub65Pr8DgFQgy2uSzle1xK/B2ADdvruaToRr0gtxga4BVqvRZKWM1tFit8+oIlGaSuGw=
X-Received: by 2002:a05:6830:3141:: with SMTP id c1mr2287958ots.41.1595467905158; Wed, 22 Jul 2020 18:31:45 -0700 (PDT)
MIME-Version: 1.0
References: <20200716151356.GA60024@wakko.flat11.house> <9975DA88-525A-4FC3-9517-70E128A4776D@akamai.com> <099D8D6A-FBBD-4A5A-B1A9-C67CF83DD3DF@apple.com> <E5679D36-1C01-4534-BDFA-836B1FD5A33D@akamai.com>
In-Reply-To: <E5679D36-1C01-4534-BDFA-836B1FD5A33D@akamai.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Wed, 22 Jul 2020 21:31:34 -0400
Message-ID: <CADyWQ+GZX3K-Uh5BrRoLZeHwFJNLcubVb66pyOy73fhfeSL36Q@mail.gmail.com>
To: "Wellington, Brian" <bwelling=40akamai.com@dmarc.ietf.org>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Alessandro Ghedini <alessandro@ghedini.me>
Content-Type: multipart/alternative; boundary="000000000000bcd07805ab11d1ae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uDYGXBFuLoBe2LxWenk-aiK-LLs>
Subject: Re: [DNSOP] HTTPS/SVCB on Cloudflare DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 01:31:48 -0000

Brian

I agree on clarity, and their git repo has been more recently updated.
I've been poking the authors on some better examples in the spec as well.

https://github.com/MikeBishop/dns-alt-svc


On Wed, Jul 22, 2020 at 9:20 PM Wellington, Brian <bwelling=
40akamai.com@dmarc.ietf.org> wrote:

> ok.  So, what this means is that keys listed in the “mandatory” parameter
> must be included as parameters, and are required to be understood by
> clients.  The set of “automatically mandatory” keys are required to be
> understood by clients, but are not required in the RR.
>
> I’m a native English speaker, and have been working with DNS for over 20
> years.  If I’m having trouble understanding this, perhaps the spec should
> be a bit clearer.
>
> Brian
>
> On Jul 22, 2020, at 5:56 PM, Tommy Pauly <
> tpauly=40apple.com@dmarc.ietf.org> wrote:
>
>
>
> On Jul 22, 2020, at 5:46 PM, Wellington, Brian <
> bwelling=40akamai.com@dmarc.ietf.org> wrote:
>
> I attempted to start implementing support for SVCB and HTTPS, and
> discovered that the data being served by Cloudflare does not conform to the
> current spec.
>
>
> Assuming my decoder is correct, the response below decodes to:
>
> 1 . alpn=h3-29,h3-28,h3-27,h2 echconfig=aBIaLmgSGy4=
> ipv6hint=2606:4700::6812:1a2e,2606:4700::6812:1b2e
>
> and does not include a “mandatory” parameter.  But section 6.5 of
> draft-ietf-dnsop-svcb-https, which is talking about the “mandatory” key,
> says:
>
> This SvcParamKey is always automatically mandatory,
>
> which implies that there MUST be a “mandatory” parameter.  Is this an
> oversight in the Cloudflare implementation, or is the Cloudflare
> implementation not implementing the current version?
>
>
> The Cloudflare record does conform correctly.
>
> The “mandatory” key does NOT need to be included. "automatically
> mandatory” keys do not need to be included. Mandatory just indicates which
> non-automatically-mandatory keys included in the record are required to be
> understood by clients, or else clients should reject them.
>
> Thanks,
> Tommy
>
>
> Thanks,
> Brian
>
> On Jul 16, 2020, at 8:13 AM, Alessandro Ghedini <alessandro@ghedini.me>
> wrote:
>
> Hello,
>
> Just a quick note that we have started serving "HTTPS" DNS records from
> Cloudflare's authoritative DNS servers. Our main use-case right now is
> advertising HTTP/3 support for those customers that enabled that feature
> (in
> addition to using Alt-Svc HTTP headers).
>
> If anyone is interested in trying this out you can query pretty much all
> domains
> served by Cloudflare DNS for which we terminate HTTP.
>
> For example:
>
>  % dig blog.cloudflare.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=>
>  type65
>
> ; <<>> DiG 9.16.4-Debian <<>> blog.cloudflare.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=>
>  type65
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17291
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;blog.cloudflare.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=>
> . IN TYPE65
>
> ;; ANSWER SECTION:
> blog.cloudflare.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.cloudflare.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=MkQQ3lsMEBID-6LoFx65__PgsMVCbXLT2Xp5Xxwb1l4&e=>
> . 300 IN TYPE65 \# 76
> 000100000100150568332D32390568332D32380568332D3237026832
> 0004000868121A2E68121B2E00060020260647000000000000000000
> 68121A2E26064700000000000000000068121B2E
>
> Cheers
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf..org_mailman_listinfo_dnsop&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=Ei0lUqjTt2OhRnRqJeO1XDCHQqnH1FdINDMcPEhCC1g&s=WQn55KFIZ5LGfsj-QGNSS31WGhpI-GuXpJEmhibwNuo&e=
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=Ei0lUqjTt2OhRnRqJeO1XDCHQqnH1FdINDMcPEhCC1g&s=WQn55KFIZ5LGfsj-QGNSS31WGhpI-GuXpJEmhibwNuo&e=>
>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bPfM-kVBGNE2d_r6kVQw1V-urTv21fSHLYeFhReKf5w&m=nNoSqGOSRERL8dkjB1QlOCBdkhp_1Yb6O4xqQcLg5E4&s=80-OG9hSCfXT4Zbc93tA5Bd0FdLj0hAknhjLjvAfDww&e=>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email