IETF Logo Mail Archive

Re: [TLS] SVCB and HTTPSSVC records: draft-nygren-dnsop-svcb-httpssvc-00

Tommy Pauly <tpauly@apple.com> Tue, 24 September 2019 15:40 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E02E1200F9 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2019 08:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TkmsX1XMvk7P for <tls@ietfa.amsl.com>; Tue, 24 Sep 2019 08:40:28 -0700 (PDT)
Received: from nwk-aaemail-lapp02.apple.com (nwk-aaemail-lapp02.apple.com [17.151.62.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1989B12006D for <tls@ietf.org>; Tue, 24 Sep 2019 08:40:28 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp02.apple.com [127.0.0.1]) by nwk-aaemail-lapp02.apple.com (8.16.0.27/8.16.0.27) with SMTP id x8OFWQtw026628; Tue, 24 Sep 2019 08:40:18 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=RrRXheJzmy6a5tcZUjXzIXUlT2NszUzXdD3ZnVUETgY=; b=GGh3X2r9PQQaz4JO0unULdZJU/j8iHcOhowceg6vSqKGHbxryB0/UYigaV6r6PAf8BqA 2a9KP9FmqHS67c9WLQfYvRBBhppCX17yMIMhXLyLvtj7D85bk+JMPhzhY1KdQEwugnjU YBlvK6E096T3dVm1OQBtR9eLRmkKR15Id4fEGPzXtH7p4SeVn7uJ+biCIs37aeF/fe8c XvKYrgIE8P2R5PeR6piO9uue1ya42k483keDJG0+iAr//0vEJ+r0ICj+Ofz67uZZrhyA SvrEsWzgfYJiIt0rsjW1Pi6Fw64aAi5jpjL/nkjoas+4V8CcfV7FPJLBgFWnhQXj7K7X WQ==
Received: from ma1-mtap-s01.corp.apple.com (ma1-mtap-s01.corp.apple.com [17.40.76.5]) by nwk-aaemail-lapp02.apple.com with ESMTP id 2v5gek38mh-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 24 Sep 2019 08:40:18 -0700
Received: from nwk-mmpp-sz09.apple.com (nwk-mmpp-sz09.apple.com [17.128.115.80]) by ma1-mtap-s01.corp.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPS id <0PYC007KWE753JE0@ma1-mtap-s01.corp.apple.com>; Tue, 24 Sep 2019 08:40:18 -0700 (PDT)
Received: from process_milters-daemon.nwk-mmpp-sz09.apple.com by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0PYC00C00DQ25B00@nwk-mmpp-sz09.apple.com>; Tue, 24 Sep 2019 08:40:17 -0700 (PDT)
X-Va-A:
X-Va-T-CD: b885964abc53914bb4dc9f6410fd4b52
X-Va-E-CD: 004b37f1134a7b34518feb429d30f29e
X-Va-R-CD: 18e8efc977171381990b7777b59bbeef
X-Va-CD: 0
X-Va-ID: c5e7b9a3-f918-4ea9-bc6c-6df95f44803a
X-V-A:
X-V-T-CD: b885964abc53914bb4dc9f6410fd4b52
X-V-E-CD: 004b37f1134a7b34518feb429d30f29e
X-V-R-CD: 18e8efc977171381990b7777b59bbeef
X-V-CD: 0
X-V-ID: 52b34384-3675-478f-bf8b-c71952c603d1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-09-24_06:,, signatures=0
Received: from [17.234.90.67] by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0PYC00L5AE74JQ50@nwk-mmpp-sz09.apple.com>; Tue, 24 Sep 2019 08:40:17 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <05C1BB9F-4FAA-48EB-85F4-DEEE3E6D9EEA@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_116BBBFB-6E4A-417C-86DE-56A5608FB6A8"
MIME-version: 1.0 (Mac OS X Mail 13.0 \(3594.4.17\))
Date: Tue, 24 Sep 2019 08:40:14 -0700
In-reply-to: <571a9639-304f-8c30-efe4-d472bfd2631f@cs.tcd.ie>
Cc: Erik Nygren <erik+ietf@nygren.org>, tls@ietf.org, Ben Schwartz <bemasc@google.com>, Mike Bishop <mbishop@evequefou.be>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <156927967091.17209.1946223190141713793.idtracker@ietfa.amsl.com> <CAKC-DJi4EHz5CCAqRj_cYTVygiuo0s2QGaPLCct6e9Bh1mXaXQ@mail.gmail.com> <CAKC-DJgUt-H4-EQ3pvBL8_-UEUty3kQwTyh_Adtp3ORtiZOySg@mail.gmail.com> <571a9639-304f-8c30-efe4-d472bfd2631f@cs.tcd.ie>
X-Mailer: Apple Mail (2.3594.4.17)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-09-24_06:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/79CH84Y51_1NKw3HhIl3EVttgwE>
Subject: Re: [TLS] SVCB and HTTPSSVC records: draft-nygren-dnsop-svcb-httpssvc-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2019 15:40:31 -0000


> On Sep 24, 2019, at 7:32 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> Hi Erik,
> 
> FWIW, if browsers preferred this to an ESNI RR and
> we could forget the ESNI RR then I'd be ok with that.
> I'm not clear if they do or not though.

Regarding the status of which RR we use, I think the main goal for a system (speaking as an operating system vendor, rather than specifically just a browser vendor) would be to minimize the number of records we need to look up in order to get a usable set of information for connecting. To that end, I appreciate the generality and extensibility of the SCVB approach. It should ideally include any functionality needed for an ESNI-only deployment, but also allow for the specification of alt-svc, as well as other extensions that may come in the future.

Thanks,
Tommy

> In the meantime,
> assuming this went ahead instead of or in addition
> to an ESNI RR, I've a few questions below...
> 
> On 24/09/2019 14:21, Erik Nygren wrote:
>> Following the discussions in Montreal (as well as with some of the ESNI
>> authors),
>> we refactored the HTTPSSVC draft to make it more general.  The hope is that
>> it could be an alternative (or replace the need) for a distinct ESNI record.
> 
> So I think the basic ESNI case where there's no
> name changes nor alt-svc etc would be as below in
> presentation syntax, am I reading that right?
> 
>   example.com <http://example.com/>. 7200  IN HTTPSSVC 0 . ( esnikeys="/wHrAh..." )
> 
> I'm also not clear if that's the exact same as:
> 
>   example.com <http://example.com/>. 7200  IN SVCB 0 . ( esnikeys="/wHrAh..." )
> 
> ...is it? If so, which'd be preferred or would
> clients be expected to be able to handle both?
> And I don't get why two ways to say the same thing
> are useful.
> 
> Secondly, ESNIKeys currently supports versions,
> multiple keys, cipher_suites, extensions and even
> dns_extensions. And we could have >1 rrdata for
> ESNI or for SCVB/HTTPSSVC.
> 
> Would you envisage adoption of SVCB/HTTPSSVC meaning
> that we could drop some of the generality that's
> present in ESNIKeys? If so, what?
> 
> I'd like if ESNIKeys were made simpler FWIW, so if
> this had that effect, then I'd be more for it. If,
> OTOH, this just added complexity (for a library
> implementing ESNI), which currently seems to be the
> case, then it'd be less attractive, to me at least.
> (I guess I'm agreeing with Rich there:-)
> 
> Thanks,
> S.
> 
> 
>> The draft generalizes to a protocol-agnostic SVCB record, but also specifies
>> an HTTPSSVC record for the HTTP(S) use-case.
>> 
>> Based on discussions with various chairs, the plan is to call for adoption
>> in the DNSOP WG.
>> 
>> Comments/feedback are most welcome.
>> 
>>      Erik
>> 
>> 
>> ---------- Forwarded message ---------
>> From: Erik Nygren <erik+ietf@nygren.org>
>> Date: Tue, Sep 24, 2019 at 9:17 AM
>> Subject: SVCB and HTTPSSVC records: draft-nygren-dnsop-svcb-httpssvc-00
>> To: dnsop WG <dnsop@ietf.org>, Ben Schwartz <bemasc@google.com>, Mike
>> Bishop <mbishop@evequefou.be>
>> 
>> 
>> Following discussions around the "HTTPSSVC" record proposal in Montreal
>> with the DNSOP, HTTP and TLS WGs, we've updated what was previously
>> "draft-nygren-httpbis-httpssvc-03".  The new version is
>> "draft-nygren-dnsop-svcb-httpssvc-00".   This incorporates much of the
>> feedback from the WG discussions, as well as feedback from discussions with
>> the TLS WG (as we'd like to see this replace the need for a separate ESNI
>> record).
>> 
>> In particular, it generalizes the record into a new "SVCB" record which
>> doesn't have any protocol-specific semantics.  It also defines an
>> "HTTPSSVC" record that is compatible with SVCB (sharing a wire-format and
>> parameter registry) and which defines the HTTP(S)-specific semantics such
>> as bindings to Alt-Svc.  Other protocols can either define bindings
>> directly to SVCB or can define their own RR Type (which should only ever be
>> needed if there is a need to use the record at a zone apex).
>> 
>> We'd like to see this adopted by the DNSOP WG.  Until then, issues and PRs
>> can go against:  https://github.com/MikeBishop/dns-alt-svc
>> 
>> Major changes from "draft-nygren-httpbis-httpssvc-03" include:
>> 
>> * Separation into the SVCB and HTTPSSVC RR Types  (and separated all of the
>> HTTPS-specific functionality and text to its own portion of the document).
>> * Elimination of the SvcRecordType field (and making the SvcRecordType
>> implicit)
>> * Changing the wire format of parameters from being in Alt-Svc text format
>> to a more general binary key/value pair format (with a mapping to Alt-Svc
>> for HTTPSSVC).
>> * Adding optional "ipv4hint" and "ipv6hint" parameters.
>> * Quite a few cleanups and clarifications based on input (and we
>> undoubtedly have more left to go)
>> 
>> This retains support for all of the use-cases that the previous HTTPSSVC
>> record had (such as for covering the ANAME / CNAME-at-the-zone-apex
>> use-case).
>> 
>> Feedback is most welcome.  If the TLS WG is going to use this instead of a
>> separate ESNI record, there is a desire to make progress on this fairy
>> quickly.
>> 
>>       Erik
>> 
>> ---------- Forwarded message ---------
>> From: <internet-drafts@ietf.org>
>> Date: Mon, Sep 23, 2019 at 7:01 PM
>> Subject: New Version Notification for
>> draft-nygren-dnsop-svcb-httpssvc-00.txt
>> To: Mike Bishop <mbishop@evequefou.be>, Erik Nygren <erik+ietf@nygren.org>,
>> Benjamin Schwartz <bemasc@google.com>
>> 
>> 
>> 
>> A new version of I-D, draft-nygren-dnsop-svcb-httpssvc-00.txt
>> has been successfully submitted by Benjamin Schwartz and posted to the
>> IETF repository.
>> 
>> Name:           draft-nygren-dnsop-svcb-httpssvc
>> Revision:       00
>> Title:          Service binding and parameter specification via the DNS
>> (DNS SVCB and HTTPSSVC)
>> Document date:  2019-09-22
>> Group:          Individual Submission
>> Pages:          33
>> URL:
>> https://www.ietf.org/internet-drafts/draft-nygren-dnsop-svcb-httpssvc-00.txt
>> Status:
>> https://datatracker.ietf.org/doc/draft-nygren-dnsop-svcb-httpssvc/
>> Htmlized:
>> https://tools.ietf.org/html/draft-nygren-dnsop-svcb-httpssvc-00
>> Htmlized:
>> https://datatracker.ietf.org/doc/html/draft-nygren-dnsop-svcb-httpssvc
>> 
>> 
>> Abstract:
>>   This document specifies the "SVCB" and "HTTPSSVC" DNS resource record
>>   types to facilitate the lookup of information needed to make
>>   connections for origin resources, such as for HTTPS URLs.  SVCB
>>   records allow an origin to be served from multiple network locations,
>>   each with associated parameters (such as transport protocol
>>   configuration and keying material for encrypting TLS SNI).  They also
>>   enable aliasing of apex domains, which is not possible with CNAME.
>>   The HTTPSSVC DNS RR is a variation of SVCB for HTTPS and HTTP
>>   origins.  By providing more information to the client before it
>>   attempts to establish a connection, these records offer potential
>>   benefits to both performance and privacy.
>> 
>>   TO BE REMOVED: This proposal is inspired by and based on recent DNS
>>   usage proposals such as ALTSVC, ANAME, and ESNIKEYS (as well as long
>>   standing desires to have SRV or a functional equivalent implemented
>>   for HTTP).  These proposals each provide an important function but
>>   are potentially incompatible with each other, such as when an origin
>>   is load-balanced across multiple hosting providers (multi-CDN).
>>   Furthermore, these each add potential cases for adding additional
>>   record lookups in-addition to AAAA/A lookups.  This design attempts
>>   to provide a unified framework that encompasses the key functionality
>>   of these proposals, as well as providing some extensibility for
>>   addressing similar future challenges.
>> 
>>   TO BE REMOVED: The specific name for this RR type is an open topic
>>   for discussion.  "SVCB" and "HTTPSSVC" are meant as placeholders as
>>   they are easy to replace.  Other names might include "B", "SRV2",
>>   "SVCHTTPS", "HTTPS", and "ALTSVC".
>> 
>> 
>> 
>> 
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>> 
>> The IETF Secretariat
>> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>> 
> <0x5AB2FAF17B172BEA.asc>_______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>

v2.23.0 | Report a Bug | By Email