Re: [DNSOP] Minimum viable ANAME

Mark Andrews <marka@isc.org> Tue, 06 November 2018 22:05 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9CE5130E09 for <dnsop@ietfa.amsl.com>; Tue, 6 Nov 2018 14:05:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8X7aWJOf5efL for <dnsop@ietfa.amsl.com>; Tue, 6 Nov 2018 14:05:56 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 233F71288BD for <dnsop@ietf.org>; Tue, 6 Nov 2018 14:05:55 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 316503AC0A0; Tue, 6 Nov 2018 22:05:55 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 0E446160098; Tue, 6 Nov 2018 22:05:55 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D230E160097; Tue, 6 Nov 2018 22:05:54 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id OcL48IdppWP8; Tue, 6 Nov 2018 22:05:54 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 6CBB3160050; Tue, 6 Nov 2018 22:05:53 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAHbrMsATrpdgP6PN2DSAjf+Nj7ZMywPu=FiGMzxjvoOm5ab2OA@mail.gmail.com>
Date: Wed, 7 Nov 2018 09:05:50 +1100
Cc: Erik Nygren <erik+ietf@nygren.org>, dnsop@ietf.org, Ray Bellis <ray@bellis.me.uk>, "Bishop, Mike" <mbishop@akamai.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F508AFA8-6611-4553-97AA-2A38A7F28691@isc.org>
References: <201809211811.w8LIBdLA021837@atl4mhob20.registeredsite.com> <fdee6f3f-dd86-b482-5263-eb8e2a21bcb7@bellis.me.uk> <CAKC-DJi=Afer4uKprMf-uaNB07MVY-XJ+etocntY0BbU1bXYrg@mail.gmail.com> <CAHbrMsATrpdgP6PN2DSAjf+Nj7ZMywPu=FiGMzxjvoOm5ab2OA@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uWSJo8u9srqlzJ6vKlcMO2cPdZY>
Subject: Re: [DNSOP] Minimum viable ANAME
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2018 22:05:58 -0000


> On 6 Nov 2018, at 5:27 am, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>; wrote:
> 
> On Sat, Nov 3, 2018 at 4:12 PM Erik Nygren <erik+ietf@nygren.org>; wrote:
> How does draft-schwartz-httpbis-dns-alt-svc-02 with some changes to make it more DNS-aligned (e.g. the name as a separate field in the record) not help here?
> 
> Thanks for mentioning DNS-Alt-Svc, Erik.
> 
> Compared to URI or the proposed HTTP record, one thing that's different about DNS-Alt-Svc is that Alt-Svc is always optional, as currently defined, and DNS-Alt-Svc inherits those semantics.  That means servers have to be prepared for some users to ignore the ALTSVC record, so the apex would still need AAAA records.

The publishing or the lookup?

> Being optional may seem like a deficiency for this application, but I now think it's actually the best we can do as a first step.  If we start with an optional record type that offers added value (e.g. performance, privacy, or security), then both client vendors and server operators have a reason to invest in deployment.  Once it's widely deployed, then we can imagine simplified architectures that rely on the new record type, starting with servers that don't need to support legacy clients.
> 
> I think it's reasonable to have a roadmap to a full transformation of the DNS architecture for HTTP, but every step along the roadmap ought to have clear net benefit to each participating party.  This seems to require a design more or less like DNS Alt-Svc, where the additional indirection is coupled to other improvements for HTTP.
>  
>   It comes from the HTTP world and is aligned with the existing AltSvc feature and thus is useful in other ways (such as perhaps solving the DNS deployabilty issues for encrypted SNI):
> 
> https://tools.ietf.org/html/draft-schwartz-httpbis-dns-alt-svc-02


What are the rules for populating the additional section of a response?

It looks like nameservers will have to split the rdata up on commas the look for protocol-id=value pair at the start of comma separated field.  Then look for the :port and remove it from value.
then look to see if there was a host specified and if so lookup up that name.

Wouldn’t be better to pre-parse the fields in the record?

[<len><id-len><id><host><port>[<name-len><name><value-len><value]*]{1+}

where host is in DNS wire format and . (00) is used for a empty host field in the alt-srv record?

Libraries can reconvert this to textual format if that makes it easier for a browser though
you may as well use it in structured format.


> - Erik
> 
>      
> 
> On Sun, Sep 23, 2018, 10:41 AM Ray Bellis <ray@bellis.me.uk wrote:
> On 21/09/2018 19:11, JW wrote:
> 
> > I also feel from this discussion, we are all roughly on the same page. 
> > We want SRV as the long term solution ...
> 
> except that we heard at the side meeting in Montreal (albeit from
> browser people rather than content people) that they *don't* want SRV,
> because it has fields that are not compatible with the web security model.
> 
> I still want to define a new RR that does have mutually agreed semantics
> that's specifically for use by HTTP(s), but so far no takers.
> 
> Ray
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org