Re: [DNSOP] Fwd: HTTPSSVC record draft
Tim Wicinski <tjw.ietf@gmail.com> Tue, 09 July 2019 16:10 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE1C4120199 for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2019 09:10:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level:
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QSduY3taGLUG for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2019 09:10:38 -0700 (PDT)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95EF412017A for <dnsop@ietf.org>; Tue, 9 Jul 2019 09:10:31 -0700 (PDT)
Received: by mail-oi1-x22c.google.com with SMTP id m206so15747423oib.12 for <dnsop@ietf.org>; Tue, 09 Jul 2019 09:10:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=S/iAtguzbbC+/3adi5OTSI+sj0uVchH+cs7bs4P5EZY=; b=OKA8h4sjO+A8E0whcSaSzvJntvTYBH6GiDSzTPVrfucOEK6+d+HZbl8wpquVzsLw4i DKcDcNA4kfbanQS+LA2ROH1VyuYYtD7ljeq4k/3P2sNH7ygHvDolRMN7wZRutr6JAGT3 j+20JjTvJcCUlZNxiO1e+YT9LBbH5igzlUJ7/Fe+5OWtlVYzjOyKdgsf5Iok0iawAlNp YP2n1iP66f4mNYUhPM1CjqC/Tb56yBOxRuzVHvms3lx0BMRbNluADRyOHoohy9nElFsS c0PXUqxWWXHScfCDftK4KbmQrAXklLF1+0TbAbbQANv4E2nVG/k47iQB+sYwY+gCZ1RW zx3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=S/iAtguzbbC+/3adi5OTSI+sj0uVchH+cs7bs4P5EZY=; b=Q3Q6QmbKiK6ux1QsIoo+D4nXEVtBQ4cLcN2UAqDqa80KL6LMbZrn2T1uEZoCFehghw 4LOhxMHuZ0z46cVBRqM/eug6UGw5JnQ8mWXesD4k2e1JHa3VJdKKBCfYQcUYp+1zzNQ7 dp2V6o/RwYSRlJDPfgCUAqsfYrBZRdUIXtYAeibqODWC51sWv7pf0PY98UsjFYKsqqwu 4sRkUNp+E7KN4+a0S79PWj+M2JlnXd+SI3OYFIZbnuJEqYW4u3MhnjPiaJiCcrJ1yW1X QfD22h0EYI+rRZJhzw6M+O9EbBsx55cLH47H3H276bTNt+vklaBwFTWWaDOyR/UEJwo8 QahA==
X-Gm-Message-State: APjAAAUiV9b/SiCQe+mX5kPYbDraFLFN7RELgu/CUE+hXgjEehorqjg1 Lfm4MWj6FWp/1EBBNUM4dYB4GHf+pwB9SpDCoTkTdg==
X-Google-Smtp-Source: APXvYqwf4+2Wt14tNoDeo3xY0bsAuX74nyEyyn57dJWMrw7mlo095umU14Od6zPq+K4V/JYfJTIw1rgbr4hp/PILgaU=
X-Received: by 2002:a05:6808:d4:: with SMTP id t20mr491488oic.170.1562688630841; Tue, 09 Jul 2019 09:10:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAKC-DJikByP+wX-GoD6ntpUWTbr6ioJzB4i8nGQL4NtPWePL3g@mail.gmail.com> <ae353a56-efe5-ce5d-1786-465fc0195071@bellis.me.uk> <CAKC-DJhaZoC2eNH8kP80Dfe-CnsOnRg6A6XDD7pWhwYdx8x7tA@mail.gmail.com>
In-Reply-To: <CAKC-DJhaZoC2eNH8kP80Dfe-CnsOnRg6A6XDD7pWhwYdx8x7tA@mail.gmail.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Tue, 09 Jul 2019 12:10:19 -0400
Message-ID: <CADyWQ+EA4e8ye9e8AWomrXko06cnT+izfqmK+fHLWGB5NBveLg@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
Cc: Ray Bellis <ray@bellis.me.uk>, IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bc64d4058d41cce3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xC2SQgG_gw_rKXfZuKzaGMt0V2E>
Subject: Re: [DNSOP] Fwd: HTTPSSVC record draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 16:10:42 -0000
Erik Speaking as myself and not a chair, I see way too many use cases which are API end points using ANAME like features. Those aren't browser based. I would hope for a solution which would work across all solution spaces - not just web browsers. Tim (speaking only as myself) On Mon, Jul 8, 2019 at 5:20 PM Erik Nygren <erik+ietf@nygren.org> wrote: > Ray, thanks for introducing this to dnsop! > I've published a -03 with some of the feedback received so far: > https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-03 > > For DNSOP folks, and ANAME proponents in-particular, > I/we are especially interested in understanding if this would address > enough of the customer use-cases driving ANAME were major > browsers to implement support for HTTPSSVC, or would any > limitations here cause problems there? > > I think the ideal would be for this to simultaneously solve > enough of the ANAME use-cases (to ideally obviate the need for ANAME) > and to also solve the other problems that clients are interested in solving > (ESNI via DNS, H/3 via DNS, etc) to get this broadly deployed at least > for the "web browser" use-case. > > Most significant changes from -01 to -03 based on feedback: > * Remove the redundant length fields from the wire format. > * Define a SvcDomainName of "." for SvcRecordType=1 as being the > HTTPSSVC RRNAME. > * Switch from 302 to 307 redirect for HSTS equivalent. > but there also some added examples and other clarifications based on > feedback received. > > While this is still an individual draft, we have been tracking it here: > https://github.com/MikeBishop/dns-alt-svc > but as always, commentary on the IETF lists is generally preferable. > > Erik > > > > > On Mon, Jul 8, 2019 at 5:01 AM Ray Bellis <ray@bellis.me.uk> wrote: > >> For those not paying attention to the HTTP-bis working group, this DNS >> RR was proposed there last week. >> >> It appears to subsume the ALT-SVC proposal and also covers the use case >> I had in mind with my HTTP Record draft (i.e. CNAME at the apex). >> >> Given that it has someone from at least major browser vendor supporting >> it there's some hope that this will actually be implemented by them. It >> therefore seems my draft is probably no longer required. Hopefully >> ANAME will follow it the same way ;-) >> >> Ray >> >> -------- Forwarded Message -------- >> Subject: HTTPSSVC record draft >> Resent-Date: Wed, 03 Jul 2019 18:46:25 +0000 >> Resent-From: ietf-http-wg@w3.org >> Date: Wed, 3 Jul 2019 14:45:47 -0400 >> From: Erik Nygren <erik+ietf@nygren.org> >> To: ietf-http-wg@w3.org Group <ietf-http-wg@w3.org>, Mike Bishop >> <mbishop@evequefou.be>, Erik Nygren <erik+ietf@nygren.org>, Benjamin >> Schwartz <bemasc@google.com>, Erik Nygren - Work <nygren@akamai.com> >> >> >> >> >> Ben, Mike, and I have submitted the first version of a proposal for an >> "HTTPSSVC" DNS record. >> >> TL;DR: This attempts to address a number of problems (ESNI, QUIC >> bootstrapping, HTTP-to-HTTPS redirection via DNS, SRV-equivalent for >> HTTP, etc) in a holistic manner through a new extensible DNS record, >> rather than in a piecemeal fashion. It is based on some previous >> proposals such as "Alt-Svc in the DNS" and "Service Bindings" but takes >> into account feedback received in DNSOP and elsewhere. >> >> Feedback is most welcome and we're looking forward to discussing with >> people in Montreal. >> >> Draft link: >> >> https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-01 >> >> >> >> From the abstract: >> >> This document specifies an "HTTPSSVC" DNS resource record type to >> facilitate the lookup of information needed to make connections for >> HTTPS URIs. The HTTPSSVC DNS RR mechanism allows an HTTPS origin >> hostname to be served from multiple network services, each with >> associated parameters (such as transport protocol and keying material >> for encrypting TLS SNI). It also provides a solution for the inability >> of the DNS to allow a CNAME to be placed at the apex of a domain name. >> Finally, it provides a way to indicate that the origin supports HTTPS >> without having to resort to redirects, allowing clients to remove HTTP >> from the bootstrapping process. >> >> By allowing this information to be bootstrapped in the DNS, it allows >> for clients to learn of alternative services before their first contact >> with the origin. This arrangement offers potential benefits to both >> performance and privacy. >> >> This proposal is inspired by and based on recent DNS usage proposals >> such as ALTSVC, ANAME, and ESNIKEYS (as well as long standing desires to >> have SRV or a functional equivalent implemented for HTTP). These >> proposals each provide an important function but are potentially >> incompatible with each other, such as when an origin is load-balanced >> across multiple hosting providers (multi-CDN). Furthermore, these each >> add potential cases for adding additional record lookups in-addition to >> AAAA/A lookups. This design attempts to provide a unified framework >> that encompasses the key functionality of these proposals, as well as >> providing some extensibility for addressing similar future challenges. >> >> -- >> >> Some likely FAQs (with some others listed in an appendix): >> >> Q: Why this is HTTP-specific? >> A: This is because every protocol has different bootstrap requirements. >> This draft is concerned with improving the efficiency and security of >> bootstrapping HTTPS connections. This proposal does offer room for >> non-HTTPS protocols, but the nature of DNS requires underscore prefixing >> to support protocol-keyed answers within a single RRTYPE. It's also >> unlikely that a single RR format would be the ideal bootstrap mechanism >> for every protocol, and there's no reason that multiple protocols should >> have to share an RRTYPE. >> Q: Why is ESNI addressed directly? >> A: This helps make a major motivation of this draft more clear. >> Splitting out those sections to a separate-but-associated "alt-svc >> attribute for ESNI keys" draft might make sense, but keeping it here >> helps work through some of the issues together. >> >> Q: Why does this try to address the HSTS case? >> A: This is a unique opportunity to fix HTTPS bootstrap and avoid >> providing insecure defaults. We'd originally proposed a separate >> Alt-Svc attribute to indicate hsts-style behavior, but then realized >> that it would make sense to push on that as the default here. >> >> Best, Erik >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Fwd: HTTPSSVC record draft Ray Bellis
- Re: [DNSOP] Fwd: HTTPSSVC record draft Erik Nygren
- Re: [DNSOP] Fwd: HTTPSSVC record draft Ray Bellis
- Re: [DNSOP] Fwd: HTTPSSVC record draft Brian Dickson
- Re: [DNSOP] Fwd: HTTPSSVC record draft Erik Nygren
- Re: [DNSOP] Fwd: HTTPSSVC record draft Tim Wicinski
- Re: [DNSOP] Fwd: HTTPSSVC record draft Ben Schwartz
- Re: [DNSOP] Fwd: HTTPSSVC record draft Mark Andrews
- Re: [DNSOP] Fwd: HTTPSSVC record draft Paul Vixie
- Re: [DNSOP] Fwd: HTTPSSVC record draft Joe Abley
- Re: [DNSOP] Fwd: HTTPSSVC record draft Paul Vixie
- Re: [DNSOP] Fwd: HTTPSSVC record draft Tim Wicinski
- Re: [DNSOP] Fwd: HTTPSSVC record draft Matthijs Mekking
- Re: [DNSOP] Fwd: HTTPSSVC record draft 神明達哉
- Re: [DNSOP] Fwd: HTTPSSVC record draft Erik Nygren
- Re: [DNSOP] Fwd: HTTPSSVC record draft Christian Huitema