Interactions between web clients and the DNS
Ray Bellis <ray@bellis.me.uk> Thu, 08 November 2018 15:19 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADABE128CE4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 8 Nov 2018 07:19:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.652
X-Spam-Level:
X-Spam-Status: No, score=-2.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54Lvw7_9Eq-d for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 8 Nov 2018 07:19:32 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F77C128BCC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 8 Nov 2018 07:19:31 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1gKm2w-0004uq-8O for ietf-http-wg-dist@listhub.w3.org; Thu, 08 Nov 2018 15:16:38 +0000
Resent-Date: Thu, 08 Nov 2018 15:16:38 +0000
Resent-Message-Id: <E1gKm2w-0004uq-8O@frink.w3.org>
Received: from uranus.w3.org ([128.30.52.58]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <ray@bellis.me.uk>) id 1gKm2t-0004uC-Tf for ietf-http-wg@listhub.w3.org; Thu, 08 Nov 2018 15:16:35 +0000
Received: from www-data by uranus.w3.org with local (Exim 4.89) (envelope-from <ray@bellis.me.uk>) id 1gKm2t-0005Gu-5p for ietf-http-wg@listhub.w3.org; Thu, 08 Nov 2018 15:16:35 +0000
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <ray@bellis.me.uk>) id 1gKlv7-0005wG-Vg for ietf-http-wg@listhub.w3.org; Thu, 08 Nov 2018 15:08:34 +0000
Received: from hydrogen.portfast.net ([188.246.200.2]) by titan.w3.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from <ray@bellis.me.uk>) id 1gKlv6-0005jc-NV for ietf-http-wg@w3.org; Thu, 08 Nov 2018 15:08:33 +0000
Received: from cm-114-109-178-6.revip13.asianet.co.th ([114.109.178.6]:49971 helo=Rays-MacBook-Pro.local) by hydrogen.portfast.net ([188.246.200.2]:465) with esmtpsa (fixed_plain:ray@bellis.me.uk) (TLS1.0:RSA_AES_128_CBC_SHA1:16) id 1gKlui-0002CW-Cn (Exim 4.72) for ietf-http-wg@w3.org (return-path <ray@bellis.me.uk>); Thu, 08 Nov 2018 15:08:09 +0000
To: ietf-http-wg@w3.org
From: Ray Bellis <ray@bellis.me.uk>
Message-ID: <26c7530e-1d1f-1087-f55e-2c69b16329b1@bellis.me.uk>
Date: Thu, 08 Nov 2018 22:08:06 +0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
X-W3C-Hub-Spam-Status: No, score=-1.1
X-W3C-Hub-Spam-Report: AWL=0.348, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: titan.w3.org 1gKlv6-0005jc-NV b29bdbb8e2dfb67b2cd9f840b742d5cf
X-caa-id: 3c2fb00640
X-Original-To: ietf-http-wg@w3.org
Subject: Interactions between web clients and the DNS
Archived-At: <https://www.w3.org/mid/26c7530e-1d1f-1087-f55e-2c69b16329b1@bellis.me.uk>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/36043
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
As some of you know, on Sunday I published draft-bellis-dnsop-http-record-00. It's already being discussed in DNSOP, but this message is my attempt to explain what I think is needed to this community. Apologies in advance for the length of it. The draft is something of a strawman document, based on what I heard at the side meeting in Montreal, to see whether there's a way forward for the Web and DNS communities to "meet in the middle" on resolving (no pun intended) some issues with how some people would like to deploy web related records in the DNS. The primary issue is the impossiblity of placing a CNAME record at the apex of a zone cut such that e.g. example.com indirects to a CDN host. Marketing folks want "bare" domain names in URLs, technical people want those names hosted in a CDN somewhere. This is however just a corollary of the fact that you can't place a CNAME record alongside _any_ other DNS resource record. If I want to use a CNAME record to direct the web content for foo.example.com to a CDN I can't also place an MX record there. Back in 2009, the IAB published RFC 5507 "Design Choices When Expanding the DNS". The title is perhaps misleading, but in general it discusses the issue of the different ways that the DNS can be used to map from a _service_ to the information about that service. In general there are three ways that a service identifier can be used in the DNS: 1. append a prefix to the domain name (e.g. SRV underscore records) 2. put something service specific in the data (e.g. TXT SPF records) 3. use a service-specific resource record (RR) type. Generally, the document recommends the latter course. It's far easier to obtain new RR types than is used to be. Now back in the "good old days", web traffic did #1, but did it kind of by accident. It wasn't part of any standard, but it was a very widely used convention, and it worked. The service identifier was "www". It was a pretty big hint that the A and AAAA records there were for web use. However when you do a `gethostbyname()` for any other domain name, you've lost that service identifier - you're asking for a hostname but you're still really looking for a _service_. The A and AAAA records will be returned, but if you got them via a CNAME, that domain name _cannot be used for any other service_. There's a proposal for an "ANAME" record which has some of the "magic" behind the scenes stuff that CNAME does where the CNAME chain is followed by the resolver which eventually returns the address record the client originally asked for, but it doesn't solve the service identifier issue. Nor, as far as I can see, would it work well with CDNs, which is kind of the whole point of wanting apex CNAMEs for many people. My proposal then, is a type #3 service identifier for web use - the HTTP resource record. Its format looks exactly like a CNAME, but it can exist alongside other resource records. Think of it as an "MX record for web clients", albeit without the priority field. It is expected (albeit not mandatory) that when asked for an HTTP record that DNS resolvers would return any corresponding A and AAAA records from cache. If the data isn't already in cache, resolvers may go ask for it before returning the HTTP answer[*]. All that said, there are two downsides to my proposal, but the long term result should be a much cleaner architecture that is consistent with RFC 5507 and also solves all of the issues with CNAME. The first downside is that clients would have to explicitly ask for the HTTP record, and that means client codebase changes. That said, I think the implementation effort would be significantly less than that needed for a DoH client, and it's a one-time hit. The second downside is that if an HTTP record is returned but the additional A and AAAA records from cache are not, the web client then has to make a second A / AAAA request for the hostname returned by the HTTP record. I expect this to be only a short term issue, though - most resolver implementors deploy new RR types very quickly after IANA assignment of the code point. On that note, the real reason for this message. Notwithstanding all the above, in order to make an RFC 6895 early allocation application for the RR type via expert review, I have to be sure that the structure and format of the proposed record is fit for purpose, and that's the feedback I need from you folks. That question is independent of whether it's considered deployable or not. With an early allocation, I can get this implemented in BIND (I work at ISC), and I'm sure the other OSS resolver vendors would do likewise. I've already got an offer from GoDaddy to support this for their 75M domains. Next I plan to start working on getting one or two of the big CDNs onboard. I know this won't be painless, but I honestly believe that there is no way to fix this just by making changes in the DNS layer - web clients need to use an application specific service identifier in the DNS just like every other internet service. thanks for your time, Ray [*] - the -00 draft says that recursive resolvers MAY return the A and AAAA records from cache or perform iterative resolution of those records. The next version will say SHOULD return records if they're in the cache, and MAY perform iterative resolution to get them if they're not. If the above processing was at "MUST" requirement level it wouldn't be possible to use the RFC 6895 expert review process.
- Interactions between web clients and the DNS Ray Bellis