Re: [DNSOP] Minimum viable ANAME

Mark Andrews <marka@isc.org> Tue, 06 November 2018 22:53 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6494412870E for <dnsop@ietfa.amsl.com>; Tue, 6 Nov 2018 14:53:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WH8VGoQUzW4g for <dnsop@ietfa.amsl.com>; Tue, 6 Nov 2018 14:53:32 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A88C126F72 for <dnsop@ietf.org>; Tue, 6 Nov 2018 14:53:32 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id EEBB33AC0B4; Tue, 6 Nov 2018 22:53:31 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id B8F12160099; Tue, 6 Nov 2018 22:53:31 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A5952160098; Tue, 6 Nov 2018 22:53:31 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id x0p6OabP8gSc; Tue, 6 Nov 2018 22:53:31 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 48A51160097; Tue, 6 Nov 2018 22:53:30 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAHbrMsDXBJF1ieOx4H-zgCQp7SursR7q_25i99njp6m0McLg3Q@mail.gmail.com>
Date: Wed, 7 Nov 2018 09:53:26 +1100
Cc: Erik Nygren <erik+ietf@nygren.org>, dnsop@ietf.org, Ray Bellis <ray@bellis.me.uk>, "Bishop, Mike" <mbishop@akamai.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CFCB645C-ED49-457A-BB16-12987C87EE9F@isc.org>
References: <201809211811.w8LIBdLA021837@atl4mhob20.registeredsite.com> <fdee6f3f-dd86-b482-5263-eb8e2a21bcb7@bellis.me.uk> <CAKC-DJi=Afer4uKprMf-uaNB07MVY-XJ+etocntY0BbU1bXYrg@mail.gmail.com> <CAHbrMsATrpdgP6PN2DSAjf+Nj7ZMywPu=FiGMzxjvoOm5ab2OA@mail.gmail.com> <F508AFA8-6611-4553-97AA-2A38A7F28691@isc.org> <CAHbrMsDXBJF1ieOx4H-zgCQp7SursR7q_25i99njp6m0McLg3Q@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vQ6BxjQrRS5wYyW8A9--K_Dbktk>
Subject: Re: [DNSOP] Minimum viable ANAME
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2018 22:53:35 -0000


> On 7 Nov 2018, at 9:25 am, Ben Schwartz <bemasc@google.com>; wrote:
> 
> 
> 
> On Tue, Nov 6, 2018 at 5:06 PM Mark Andrews <marka@isc.org>; wrote:
> 
> 
> > On 6 Nov 2018, at 5:27 am, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>; wrote:
> > 
> > On Sat, Nov 3, 2018 at 4:12 PM Erik Nygren <erik+ietf@nygren.org>; wrote:
> > How does draft-schwartz-httpbis-dns-alt-svc-02 with some changes to make it more DNS-aligned (e.g. the name as a separate field in the record) not help here?
> > 
> > Thanks for mentioning DNS-Alt-Svc, Erik.
> > 
> > Compared to URI or the proposed HTTP record, one thing that's different about DNS-Alt-Svc is that Alt-Svc is always optional, as currently defined, and DNS-Alt-Svc inherits those semantics.  That means servers have to be prepared for some users to ignore the ALTSVC record, so the apex would still need AAAA records.
> 
> The publishing or the lookup?
> 
> Both.  Most web servers don't make use of Alt-Svc, and browsers are under no obligation to respect it (and indeed many don't).  It's strictly an optimization, and everything still has to work correctly without it.

HTTP is optional to be published.  For HTTP to a solution to name to server mapping in the DNS it needs to be looked up by clients and ALTSRV would also need to be looked up clients at the time
A and AAAA records are being looked up.  Say it wouldn't is being disingenuous.  Legacy clients wouldn’t look it up.

> > Being optional may seem like a deficiency for this application, but I now think it's actually the best we can do as a first step.  If we start with an optional record type that offers added value (e.g. performance, privacy, or security), then both client vendors and server operators have a reason to invest in deployment.  Once it's widely deployed, then we can imagine simplified architectures that rely on the new record type, starting with servers that don't need to support legacy clients.
> > 
> > I think it's reasonable to have a roadmap to a full transformation of the DNS architecture for HTTP, but every step along the roadmap ought to have clear net benefit to each participating party.  This seems to require a design more or less like DNS Alt-Svc, where the additional indirection is coupled to other improvements for HTTP.
> >  
> >   It comes from the HTTP world and is aligned with the existing AltSvc feature and thus is useful in other ways (such as perhaps solving the DNS deployabilty issues for encrypted SNI):
> > 
> > https://tools.ietf.org/html/draft-schwartz-httpbis-dns-alt-svc-02
> 
> 
> What are the rules for populating the additional section of a response?
> 
> The DNS Alt-Svc draft currently doesn't cover this, but I would definitely be interested to hear suggestions.  Since support is optional, the draft focuses on the RFC 3597 opaque record process, but we can certainly consider further optimizations that would be possible in ALTSVC-aware DNS servers.
>  
> It looks like nameservers will have to split the rdata up on commas the look for protocol-id=value pair at the start of comma separated field.  Then look for the :port and remove it from value.
> then look to see if there was a host specified and if so lookup up that name.
> 
> Wouldn’t be better to pre-parse the fields in the record?
> 
> [<len><id-len><id><host><port>[<name-len><name><value-len><value]*]{1+}
> 
> where host is in DNS wire format and . (00) is used for a empty host field in the alt-srv record?
> 
> Libraries can reconvert this to textual format if that makes it easier for a browser though
> you may as well use it in structured format.
> 
> I'm fine with minor alterations to the syntax, but I'm not convinced that it's important.  Parsing the contents is optional (per RFC 3597), and writing a parser is trivial (as you've described).

Given lots of browser people complained that SRV would require two round trips to the recursive server not describing how to populate the additional section would seem to be a non-starter.

Having to re-parse the record every time you serve it also seem like a big waste of resources so
no it really isn’t a minor alteration from the DNS side.

> Open-source parsers are widely available (e.g. from open-source browsers).  To avoid ossification, we'd need to have confidence that any deviations from the HTTP Alt-Svc syntax are losslessly interconvertible and future-proof, which is a high bar.

If you extend the syntax such that a parser to the binary format above breaks request a new type
and start using it.

> > - Erik
> > 
> >      
> > 
> > On Sun, Sep 23, 2018, 10:41 AM Ray Bellis <ray@bellis.me.uk wrote:
> > On 21/09/2018 19:11, JW wrote:
> > 
> > > I also feel from this discussion, we are all roughly on the same page. 
> > > We want SRV as the long term solution ...
> > 
> > except that we heard at the side meeting in Montreal (albeit from
> > browser people rather than content people) that they *don't* want SRV,
> > because it has fields that are not compatible with the web security model.
> > 
> > I still want to define a new RR that does have mutually agreed semantics
> > that's specifically for use by HTTP(s), but so far no takers.
> > 
> > Ray
> > 
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org