IETF Logo Mail Archive

Re: [DNSOP] Comments on draft-ietf-dnsop-svcb-httpssvc-02

Ben Schwartz <bemasc@google.com> Mon, 20 April 2020 23:37 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C2733A1302 for <dnsop@ietfa.amsl.com>; Mon, 20 Apr 2020 16:37:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.699
X-Spam-Level:
X-Spam-Status: No, score=-15.699 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZvxf2QLokSS for <dnsop@ietfa.amsl.com>; Mon, 20 Apr 2020 16:37:09 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 833253A12FF for <dnsop@ietf.org>; Mon, 20 Apr 2020 16:37:09 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id x25so1501289wmc.0 for <dnsop@ietf.org>; Mon, 20 Apr 2020 16:37:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nqaqcDOcJ+CdNcli8BJCNLUSJuDHbjwZDQacwU8PsnA=; b=AGyglwfqF8LAfjsTTKdNqA3dkxNHQzexca2z1BNs1+HDCdV6JIZuC414KanbzG+DCY C5DabuDZLBGtEZ/SRtiYndAxznFHlUuVG1cJKbhmqAKPqpyG18YMVOzsEC8WCB/fEgyJ 6tXDrFHTOTpZ7cm6VcmIhMlv8z7kYkvWMzHd0JOFvWkSNWZHaoQdaPQ7rFPjO+mfdcS9 T4/BgXQbDkSm4I8xKKFPFiCjd6liYmA4blzkJGdrk9/O5kQo3YKxcXDIlyrud91g73S3 5QlN/pHAc4tsn+EJprLt6fSnR2+ZQH5NB4Pn5j1GKeQZy7YQx/0D1CA/hQGvEGndArwd toNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nqaqcDOcJ+CdNcli8BJCNLUSJuDHbjwZDQacwU8PsnA=; b=bWBJzp5d1ZWWsF+tZ6Z+j8y7PgCrit0tO87uqUtusRyldhPALqoOXB/zv2dU5l5M52 vkOanjRc3geu/jqSqjlsmcV5+O7rmyV08O9nxoRDyINmIGyimHhorRsYJEw6oSs6WRUI EhRo6EtOhqCSJu/K+OxGRWOcWKBDhIIJp0u13mN9uNJyFpFowDFgSa0SF6LAF3cXjFFy YtKe4ADDNKqvvXUdcHR0ephjahprPok6KQGfLjBBp1o5iOD+KB6oh/ewyhlZUbXx9KZk HhA59yjxGj1erqmTv+XPZXQ++qW3T9w0cG0ocI/ujucntZm7bJNoimMNz+1nGOC6vRik 649w==
X-Gm-Message-State: AGi0PuY/HUJ/ZXPIqwm0uC4elirkxvu+O1yp7kybAlHsBVq5FagGqVt5 ow0SaOsg4vsLvDFahkWqnM6xbxwPkMSUHTxjAeBWX66+2ao=
X-Google-Smtp-Source: APiQypIF9c13+eDqLaiZ/xdiBQmuIvPinOf7PJa51hHB4p9BiboRpPWSUMsAX817MGGU5zwV6f39sxDpZwF7XQOtRY0=
X-Received: by 2002:a05:600c:2284:: with SMTP id 4mr1704346wmf.97.1587425827379; Mon, 20 Apr 2020 16:37:07 -0700 (PDT)
MIME-Version: 1.0
References: <20200417101932.GA2035@wakko.flat11.house>
In-Reply-To: <20200417101932.GA2035@wakko.flat11.house>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 20 Apr 2020 19:36:55 -0400
Message-ID: <CAHbrMsDa-gZfqWVbb1LZNRJTHmgE5FPo2k2KKUJfQ3vLn7GETw@mail.gmail.com>
To: Alessandro Ghedini <alessandro@ghedini.me>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000097a9b005a3c1606b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xLsyi0tKQ8OiZ0y2qzmkTB4G6qI>
Subject: Re: [DNSOP] Comments on draft-ietf-dnsop-svcb-httpssvc-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2020 23:37:14 -0000

On Fri, Apr 17, 2020 at 6:20 AM Alessandro Ghedini <alessandro@ghedini.me>
wrote:

> Hello,
>
> First off, I have started implementing support for SVCB and HTTPSSVC as
> part of
> the dnspython library [0] and I'd be interested in doing some interop
> testing
> with other people's implementations.
>
> I also have a few comments/questions about the draft, apologies if they
> have
> already been discussed in the past (haven't been following the draft from
> the
> start).
>
> 1. For interop testing purposes it would be very helpful if the draft
> listed
> commonly agreed upon code-points for the new RR types. Ideally in the form
> of an
> official early assignment from IANA, but if that's not possible picking a
> couple
> of codepoints at random from the "private use" range would also be
> helpful. In
> my implementation I'm currently using "65481" for SVCB and "65482" for
> HTTPSSVC.
>
> 2. The structure of the draft is a bit odd, as it lists a bunch of examples
> before introducing any of the records. This was a bit confusing to me, so
> I'd
> suggest moving sections 1.5 and 1.6 _before_ the examples (that is,
> immediately
> after the introduction). It might also be a good idea to just move the
> examples
> to an Appendix instead.
>

Noted as https://github.com/MikeBishop/dns-alt-svc/issues/135

3. Would it make sense to move the ESNI/ECHO config paramenter to the
> ESNI/ECHO
> draft instead? This way the DNS draft wouldn't need to depend on the ESNI
> draft
> (so e.g. if ESNI ends up taking longer, this draft could be published
> without
> having to wait for it).
>

That's an interesting question.  My main concern with separating it is that
ECHO is the only reason we need to disable fallback, and the need to
support clients that can't use fallback is a major factor in the design.


> 4. What is the point of differentiating between AliasForm and ServiceForm?
> Like,
> couldn't the draft just say that the SvcFieldValue is an optional field
> and be
> done with that? It seems like not having to explicitly differentiate the
> two
> cases would simplify the draft a bit without sacrificing much, though I
> might
> be missing something.
>

It's true that there is no great distinction to an authoritative server.
However, the resolution procedure is quite different.  If there is an
AliasForm, the resolver should follow only one RR (ignoring all the
others), and should re-query SVCB.  Otherwise, it should follow all the
RRs, but only querying A and AAAA.

(To an authoritative, the only distinction I can think of is that "." is
not allowed for AliasForm, because it represents a reference cycle.)


> 5. Section 2.1.1 says
>
>    The presentation format for SvcFieldValue is a whitespace-separated
>    list of elements representing a key-value pair, with an absent value
>    or "=" indicating an empty value.
>
> It took me longer than I'd like to admit to understand the "with an absent
> value
> or "=" indicating an empty value" part. I'd suggest rewording that
> paragraph to
> something like:
>
>    The presentation format for SvcFieldValue is a whitespace-separated
> list of
>    key=value pairs (e.g. "key123=value1 keys456=value2"). When the value,
> or
>    both the value and the "=" are omitted, the value should be interpreted
> as
>    being empty.
>
> Or something better :)
>

Noted as https://github.com/MikeBishop/dns-alt-svc/issues/136


> 6. In Section 2.2 it says (in reference to param field values):
>
>    o  an octet string of the length defined by the previous field.
>
> It might be good to say here that the format of this octet string is
> defined
> according to the corresponding SvcParamKey, and then reference section 6
> for
> ths currently defined keys. The same applies for section 2.1.1 for the
> presentation format.
>
> 7. Section 4.3 says:
>
>    All DNS servers SHOULD treat the SvcParam portion of the SVCB RR...
>
> Should it be SvcFieldValue instead of SvcParam? "SvcParam" is not mentioned
> anywhere else.
>

You're right.  https://github.com/MikeBishop/dns-alt-svc/pull/137

8. Maybe I'm missing something, but the following sentence in Section 6.4
> seems
> wrong:
>
>    When SvcDomainName is ".", server operators SHOULD NOT include these
> hints,
>    because they are unlikely to convey any performance benefit.
>
> My understanding is that ipv4hint and ipv6hint are the way to solve the
> ESNI
> multi-CDN problem


Not exactly.  Hints are not required for that.  Instead, the requirement is
that each RR contains a matched SvcFieldValue and SvcDomainName, from the
same CDN.  The A/AAAA lookup for the SvcDomainName then provides the IPs.

The purpose of IP hints is to reduce resolution latency in that scenario,
only in the case where the recursive resolver is not SVCB-aware, by
avoiding the need to wait for the A/AAAA lookup.

, so let's say I have "www.example.net" that CNAMEs to both
> "cname.cdn-a.example" and "cname.cdn-b.example". A client queries both A
> and
> HTTPSVC concurrently for "www.example.net", and receives two answers (the
> answer
> to the A query points to CDN A, while the answer to HTTPSSVC points to CDN
> B):
>
>     www.xample.net      3600 IN CNAME cname.cdn-a.example
>     cname.cdn-a.example 3600 IN A 192.0.2.1
>
> and
>
>     www.xample.net      3600 IN CNAME cname.cdn-b.example
>     cname.cdn-b.example 3600 IN HTTPSSVC 1 . alpn=h3 esniconfig="..."
>
>
(You have two distinct CNAMEs for "www.xample.net" listed there.
Technically this is not allowed by the CNAME specification.  However, we
can ignore that issue.)


> My understanding is that in this case the client could end up connecting to
> 192.0.2.1 (CDN A) with CDN B's ESNI config (or e.g. with the wrong ALPN).


No, this is not possible.  When using B's ESNI config, the only allowed IP
addresses are those for cname.cdn-b.example.

In this case (as with any case where SvcDomainName=".", IP hints would not
provide a performance advantage, because HTTPSSVC is always queried in
parallel with A/AAAA, so the record for cname.cdn-b.example will come back
along with the corresponding IPs anyway.

...

> 9. Speaking of multi-CDN, AFAICT the problem is mentioned only once in the
> whole
> draft and only in relation to ESNI. However this is not ESNI-specific and
> also
> affects e.g. HTTP/3 as per the example above. So I think it would be
> useful to
> go into a little more detail on this.
>

OK, please suggest text.


> 10. Section B.2: s/pther/other/
>

Will fix.


>
> Cheers
>
> [0] https://github.com/rthalley/dnspython/pull/452
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.40.3 | Report a Bug | By Email | System Status