IETF Logo Mail Archive

Re: HTTPSSVC record draft

Mark Andrews <marka@isc.org> Tue, 09 July 2019 06:24 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D195120314 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 8 Jul 2019 23:24:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.651
X-Spam-Level:
X-Spam-Status: No, score=-2.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o9E6d_wx0hTt for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 8 Jul 2019 23:24:56 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D22312030F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 8 Jul 2019 23:24:56 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1hkjVh-0007oJ-Kw for ietf-http-wg-dist@listhub.w3.org; Tue, 09 Jul 2019 06:21:53 +0000
Resent-Date: Tue, 09 Jul 2019 06:21:53 +0000
Resent-Message-Id: <E1hkjVh-0007oJ-Kw@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <marka@isc.org>) id 1hkjVg-0007nO-8j for ietf-http-wg@listhub.w3.org; Tue, 09 Jul 2019 06:21:52 +0000
Received: from mx.pao1.isc.org ([2001:4f8:0:2::2b]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <marka@isc.org>) id 1hkjVe-0002zc-5a for ietf-http-wg@w3.org; Tue, 09 Jul 2019 06:21:52 +0000
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 3494D3AB002; Tue, 9 Jul 2019 06:21:27 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 05BA6160079; Tue, 9 Jul 2019 06:21:27 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id E4FC016006C; Tue, 9 Jul 2019 06:21:26 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id HnrwzQdTRpgx; Tue, 9 Jul 2019 06:21:26 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 73F17160051; Tue, 9 Jul 2019 06:21:25 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAKC-DJi7+jq0m6wY2S+9aKXzHBeKXhWN_+UKx0D_RDKa5orPzA@mail.gmail.com>
Date: Tue, 09 Jul 2019 16:21:22 +1000
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, Mike Bishop <mbishop@evequefou.be>, Benjamin Schwartz <bemasc@google.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6B369667-726E-4C5B-9EA8-AB91E3A98A2A@isc.org>
References: <CAKC-DJikByP+wX-GoD6ntpUWTbr6ioJzB4i8nGQL4NtPWePL3g@mail.gmail.com> <7B54D926-22C6-4283-B54C-6A53D22D2126@isc.org> <CAKC-DJi7+jq0m6wY2S+9aKXzHBeKXhWN_+UKx0D_RDKa5orPzA@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
X-Mailer: Apple Mail (2.3445.9.1)
Received-SPF: pass client-ip=2001:4f8:0:2::2b; envelope-from=marka@isc.org; helo=mx.pao1.isc.org
X-W3C-Hub-Spam-Status: No, score=-9.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1hkjVe-0002zc-5a 180ad7344ea4351e57a3675be0c72a0a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTPSSVC record draft
Archived-At: <https://www.w3.org/mid/6B369667-726E-4C5B-9EA8-AB91E3A98A2A@isc.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/36770
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Introductory Example: The example record

example.com.      2H  IN HTTPSSVC 0 0 svc.example.net.

does not match the description of the record (missing last field). It should be:

example.com.      7200  IN HTTPSSVC 0 0 svc.example.net. “”

Similarly in 2.4.  HTTPSSVC records: alias form

Also don’t use 2H for the TTL.  While some servers will accept it, it is not RFC compliant.


Unless these is a real reason for the record to be class agnostic please specify that
it is class IN specific.

Mark

> On 9 Jul 2019, at 7:08 am, Erik Nygren <erik+ietf@nygren.org> wrote:
> 
> I've published a -03 for this draft:
> 
>     https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-03
> 
> Most significant changes based on feedback:    
> 
>       *  Remove the redundant length fields from the wire format.
>       *  Define a SvcDomainName of "." for SvcRecordType=1 as being the
>          HTTPSSVC RRNAME.
>       * Switch from 302 to 307 redirect for HSTS equivalent.
> 
> but there also some added examples and other clarifications based on feedback received.
> 
> While this is still an individual draft, we have been tracking it here:
>     https://github.com/MikeBishop/dns-alt-svc
> but as always, commentary on the IETF lists is generally preferable.
> 
> That's great to already see a bind9 prototype implementation!
> (Does it already associate Additional records from the SvcDomainName
> for recursive responses when that was already in-cache?  I'm curious to see
> if that is trivial or not to add in existing code bases.) 
> Reading through the implementation made it quite clear how desirable it was
> to remove the redundancy from the wire format.
> 
>     Erik
> 
> 
> 
> 
> On Fri, Jul 5, 2019 at 2:52 AM Mark Andrews <marka@isc.org> wrote:
> A private type implementation is here for BIND.
> 
> https://gitlab.isc.org/isc-projects/bind9/merge_requests/2135
> 
> Mark
> 
> > On 4 Jul 2019, at 4:45 am, Erik Nygren <erik+ietf@nygren.org> wrote:
> > 
> > 
> > Ben, Mike, and I have submitted the first version of a proposal for an "HTTPSSVC" DNS record.  
> > 
> > TL;DR:  This attempts to address a number of problems (ESNI, QUIC bootstrapping, HTTP-to-HTTPS redirection via DNS, SRV-equivalent for HTTP, etc) in a holistic manner through a new extensible DNS record, rather than in a piecemeal fashion.  It is based on some previous proposals such as "Alt-Svc in the DNS" and "Service Bindings" but takes into account feedback received in DNSOP and elsewhere.  
> > 
> > Feedback is most welcome and we're looking forward to discussing with people in Montreal.
> > 
> > Draft link:
> > 
> >       https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-01 
> > 
> > 
> > 
> > From the abstract:
> > 
> > This document specifies an "HTTPSSVC" DNS resource record type to facilitate the lookup of information needed to make connections for HTTPS URIs.  The HTTPSSVC DNS RR mechanism allows an HTTPS origin hostname to be served from multiple network services, each with associated parameters (such as transport protocol and keying material for encrypting TLS SNI).  It also provides a solution for the inability of the DNS to allow a CNAME to be placed at the apex of a domain name.  Finally, it provides a way to indicate that the origin supports HTTPS without having to resort to redirects, allowing clients to remove HTTP from the bootstrapping process.
> > 
> > By allowing this information to be bootstrapped in the DNS, it allows for clients to learn of alternative services before their first contact with the origin.  This arrangement offers potential benefits to both performance and privacy.
> > 
> > This proposal is inspired by and based on recent DNS usage proposals such as ALTSVC, ANAME, and ESNIKEYS (as well as long standing desires to have SRV or a functional equivalent implemented for HTTP).  These proposals each provide an important function but are potentially incompatible with each other, such as when an origin is load-balanced across multiple hosting providers (multi-CDN). Furthermore, these each add potential cases for adding additional record lookups in-addition to AAAA/A lookups.  This design attempts to provide a unified framework that encompasses the key functionality of these proposals, as well as providing some extensibility for addressing similar future challenges.
> > 
> > --
> > 
> > Some likely FAQs (with some others listed in an appendix):
> > 
> > Q: Why this is HTTP-specific?
> > A: This is because every protocol has different bootstrap requirements.  This draft is concerned with improving the efficiency and security of bootstrapping HTTPS connections.  This proposal does offer room for non-HTTPS protocols, but the nature of DNS requires underscore prefixing to support protocol-keyed answers within a single RRTYPE.  It's also unlikely that a single RR format would be the ideal bootstrap mechanism for every protocol, and there's no reason that multiple protocols should have to share an RRTYPE.
> >  
> > Q: Why is ESNI addressed directly?
> > A: This helps make a major motivation of this draft more clear.  Splitting out those sections to a separate-but-associated "alt-svc attribute for ESNI keys" draft might make sense, but keeping it here helps work through some of the issues together.
> > 
> > Q: Why does this try to address the HSTS case?
> > A: This is a unique opportunity to fix HTTPS bootstrap and avoid providing insecure defaults.  We'd originally proposed a separate Alt-Svc attribute to indicate hsts-style behavior, but then realized that it would make sense to push on that as the default here.
> > 
> > Best, Erik
> > 
> > 
> > 
> > ---------- Forwarded message ---------
> > From: <internet-drafts@ietf.org>
> > Date: Wed, Jul 3, 2019 at 1:06 PM
> > Subject: New Version Notification for draft-nygren-httpbis-httpssvc-01.txt
> > To: Mike Bishop <mbishop@evequefou.be>, Erik Nygren <erik+ietf@nygren.org>, Benjamin Schwartz <bemasc@google.com>
> > 
> > 
> > 
> > A new version of I-D, draft-nygren-httpbis-httpssvc-01.txt
> > has been successfully submitted by Benjamin Schwartz and posted to the
> > IETF repository.
> > 
> > Name:           draft-nygren-httpbis-httpssvc
> > Revision:       01
> > Title:          HTTPSSVC service location and parameter specification via the DNS (DNS HTTPSSVC)
> > Document date:  2019-07-03
> > Group:          Individual Submission
> > Pages:          22
> > URL:            https://www.ietf.org/internet-drafts/draft-nygren-httpbis-httpssvc-01.txt
> > Status:         https://datatracker.ietf.org/doc/draft-nygren-httpbis-httpssvc/
> > Htmlized:       https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-01
> > Htmlized:       https://datatracker.ietf.org/doc/html/draft-nygren-httpbis-httpssvc
> > Diff:           https://www.ietf.org/rfcdiff?url2=draft-nygren-httpbis-httpssvc-01
> > 
> > Abstract:
> >    This document specifies an "HTTPSSVC" DNS resource record type to
> >    facilitate the lookup of information needed to make connections for
> >    HTTPS URIs.  The HTTPSSVC DNS RR mechanism allows an HTTPS origin
> >    hostname to be served from multiple network services, each with
> >    associated parameters (such as transport protocol and keying material
> >    for encrypting TLS SNI).  It also provides a solution for the
> >    inability of the DNS to allow a CNAME to be placed at the apex of a
> >    domain name.  Finally, it provides a way to indicate that the origin
> >    supports HTTPS without having to resort to redirects, allowing
> >    clients to remove HTTP from the bootstrapping process.
> > 
> >    By allowing this information to be bootstrapped in the DNS, it allows
> >    for clients to learn of alternative services before their first
> >    contact with the origin.  This arrangement offers potential benefits
> >    to both performance and privacy.
> > 
> >    TO BE REMOVED: This proposal is inspired by and based on recent DNS
> >    usage proposals such as ALTSVC, ANAME, and ESNIKEYS (as well as long
> >    standing desires to have SRV or a functional equivalent implemented
> >    for HTTP).  These proposals each provide an important function but
> >    are potentially incompatible with each other, such as when an origin
> >    is load-balanced across multiple hosting providers (multi-CDN).
> >    Furthermore, these each add potential cases for adding additional
> >    record lookups in-addition to AAAA/A lookups.  This design attempts
> >    to provide a unified framework that encompasses the key functionality
> >    of these proposals, as well as providing some extensibility for
> >    addressing similar future challenges.
> > 
> > 
> > 
> > 
> > Please note that it may take a couple of minutes from the time of submission
> > until the htmlized version and diff are available at tools.ietf.org.
> > 
> > The IETF Secretariat
> > 
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email