Re: [TLS] SVCB and HTTPSSVC records: draft-nygren-dnsop-svcb-httpssvc-00
Tommy Pauly <tpauly@apple.com> Tue, 24 September 2019 15:40 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E02E1200F9 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2019 08:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TkmsX1XMvk7P for <tls@ietfa.amsl.com>; Tue, 24 Sep 2019 08:40:28 -0700 (PDT)
Received: from nwk-aaemail-lapp02.apple.com (nwk-aaemail-lapp02.apple.com [17.151.62.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1989B12006D for <tls@ietf.org>; Tue, 24 Sep 2019 08:40:28 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp02.apple.com [127.0.0.1]) by nwk-aaemail-lapp02.apple.com (8.16.0.27/8.16.0.27) with SMTP id x8OFWQtw026628; Tue, 24 Sep 2019 08:40:18 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=RrRXheJzmy6a5tcZUjXzIXUlT2NszUzXdD3ZnVUETgY=; b=GGh3X2r9PQQaz4JO0unULdZJU/j8iHcOhowceg6vSqKGHbxryB0/UYigaV6r6PAf8BqA 2a9KP9FmqHS67c9WLQfYvRBBhppCX17yMIMhXLyLvtj7D85bk+JMPhzhY1KdQEwugnjU YBlvK6E096T3dVm1OQBtR9eLRmkKR15Id4fEGPzXtH7p4SeVn7uJ+biCIs37aeF/fe8c XvKYrgIE8P2R5PeR6piO9uue1ya42k483keDJG0+iAr//0vEJ+r0ICj+Ofz67uZZrhyA SvrEsWzgfYJiIt0rsjW1Pi6Fw64aAi5jpjL/nkjoas+4V8CcfV7FPJLBgFWnhQXj7K7X WQ==
Received: from ma1-mtap-s01.corp.apple.com (ma1-mtap-s01.corp.apple.com [17.40.76.5]) by nwk-aaemail-lapp02.apple.com with ESMTP id 2v5gek38mh-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 24 Sep 2019 08:40:18 -0700
Received: from nwk-mmpp-sz09.apple.com (nwk-mmpp-sz09.apple.com [17.128.115.80]) by ma1-mtap-s01.corp.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPS id <0PYC007KWE753JE0@ma1-mtap-s01.corp.apple.com>; Tue, 24 Sep 2019 08:40:18 -0700 (PDT)
Received: from process_milters-daemon.nwk-mmpp-sz09.apple.com by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0PYC00C00DQ25B00@nwk-mmpp-sz09.apple.com>; Tue, 24 Sep 2019 08:40:17 -0700 (PDT)
X-Va-A:
X-Va-T-CD: b885964abc53914bb4dc9f6410fd4b52
X-Va-E-CD: 004b37f1134a7b34518feb429d30f29e
X-Va-R-CD: 18e8efc977171381990b7777b59bbeef
X-Va-CD: 0
X-Va-ID: c5e7b9a3-f918-4ea9-bc6c-6df95f44803a
X-V-A:
X-V-T-CD: b885964abc53914bb4dc9f6410fd4b52
X-V-E-CD: 004b37f1134a7b34518feb429d30f29e
X-V-R-CD: 18e8efc977171381990b7777b59bbeef
X-V-CD: 0
X-V-ID: 52b34384-3675-478f-bf8b-c71952c603d1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-09-24_06:,, signatures=0
Received: from [17.234.90.67] by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0PYC00L5AE74JQ50@nwk-mmpp-sz09.apple.com>; Tue, 24 Sep 2019 08:40:17 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <05C1BB9F-4FAA-48EB-85F4-DEEE3E6D9EEA@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_116BBBFB-6E4A-417C-86DE-56A5608FB6A8"
MIME-version: 1.0 (Mac OS X Mail 13.0 \(3594.4.17\))
Date: Tue, 24 Sep 2019 08:40:14 -0700
In-reply-to: <571a9639-304f-8c30-efe4-d472bfd2631f@cs.tcd.ie>
Cc: Erik Nygren <erik+ietf@nygren.org>, tls@ietf.org, Ben Schwartz <bemasc@google.com>, Mike Bishop <mbishop@evequefou.be>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <156927967091.17209.1946223190141713793.idtracker@ietfa.amsl.com> <CAKC-DJi4EHz5CCAqRj_cYTVygiuo0s2QGaPLCct6e9Bh1mXaXQ@mail.gmail.com> <CAKC-DJgUt-H4-EQ3pvBL8_-UEUty3kQwTyh_Adtp3ORtiZOySg@mail.gmail.com> <571a9639-304f-8c30-efe4-d472bfd2631f@cs.tcd.ie>
X-Mailer: Apple Mail (2.3594.4.17)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-09-24_06:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/79CH84Y51_1NKw3HhIl3EVttgwE>
Subject: Re: [TLS] SVCB and HTTPSSVC records: draft-nygren-dnsop-svcb-httpssvc-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2019 15:40:31 -0000
> On Sep 24, 2019, at 7:32 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > Hi Erik, > > FWIW, if browsers preferred this to an ESNI RR and > we could forget the ESNI RR then I'd be ok with that. > I'm not clear if they do or not though. Regarding the status of which RR we use, I think the main goal for a system (speaking as an operating system vendor, rather than specifically just a browser vendor) would be to minimize the number of records we need to look up in order to get a usable set of information for connecting. To that end, I appreciate the generality and extensibility of the SCVB approach. It should ideally include any functionality needed for an ESNI-only deployment, but also allow for the specification of alt-svc, as well as other extensions that may come in the future. Thanks, Tommy > In the meantime, > assuming this went ahead instead of or in addition > to an ESNI RR, I've a few questions below... > > On 24/09/2019 14:21, Erik Nygren wrote: >> Following the discussions in Montreal (as well as with some of the ESNI >> authors), >> we refactored the HTTPSSVC draft to make it more general. The hope is that >> it could be an alternative (or replace the need) for a distinct ESNI record. > > So I think the basic ESNI case where there's no > name changes nor alt-svc etc would be as below in > presentation syntax, am I reading that right? > > example.com <http://example.com/>. 7200 IN HTTPSSVC 0 . ( esnikeys="/wHrAh..." ) > > I'm also not clear if that's the exact same as: > > example.com <http://example.com/>. 7200 IN SVCB 0 . ( esnikeys="/wHrAh..." ) > > ...is it? If so, which'd be preferred or would > clients be expected to be able to handle both? > And I don't get why two ways to say the same thing > are useful. > > Secondly, ESNIKeys currently supports versions, > multiple keys, cipher_suites, extensions and even > dns_extensions. And we could have >1 rrdata for > ESNI or for SCVB/HTTPSSVC. > > Would you envisage adoption of SVCB/HTTPSSVC meaning > that we could drop some of the generality that's > present in ESNIKeys? If so, what? > > I'd like if ESNIKeys were made simpler FWIW, so if > this had that effect, then I'd be more for it. If, > OTOH, this just added complexity (for a library > implementing ESNI), which currently seems to be the > case, then it'd be less attractive, to me at least. > (I guess I'm agreeing with Rich there:-) > > Thanks, > S. > > >> The draft generalizes to a protocol-agnostic SVCB record, but also specifies >> an HTTPSSVC record for the HTTP(S) use-case. >> >> Based on discussions with various chairs, the plan is to call for adoption >> in the DNSOP WG. >> >> Comments/feedback are most welcome. >> >> Erik >> >> >> ---------- Forwarded message --------- >> From: Erik Nygren <erik+ietf@nygren.org> >> Date: Tue, Sep 24, 2019 at 9:17 AM >> Subject: SVCB and HTTPSSVC records: draft-nygren-dnsop-svcb-httpssvc-00 >> To: dnsop WG <dnsop@ietf.org>, Ben Schwartz <bemasc@google.com>, Mike >> Bishop <mbishop@evequefou.be> >> >> >> Following discussions around the "HTTPSSVC" record proposal in Montreal >> with the DNSOP, HTTP and TLS WGs, we've updated what was previously >> "draft-nygren-httpbis-httpssvc-03". The new version is >> "draft-nygren-dnsop-svcb-httpssvc-00". This incorporates much of the >> feedback from the WG discussions, as well as feedback from discussions with >> the TLS WG (as we'd like to see this replace the need for a separate ESNI >> record). >> >> In particular, it generalizes the record into a new "SVCB" record which >> doesn't have any protocol-specific semantics. It also defines an >> "HTTPSSVC" record that is compatible with SVCB (sharing a wire-format and >> parameter registry) and which defines the HTTP(S)-specific semantics such >> as bindings to Alt-Svc. Other protocols can either define bindings >> directly to SVCB or can define their own RR Type (which should only ever be >> needed if there is a need to use the record at a zone apex). >> >> We'd like to see this adopted by the DNSOP WG. Until then, issues and PRs >> can go against: https://github.com/MikeBishop/dns-alt-svc >> >> Major changes from "draft-nygren-httpbis-httpssvc-03" include: >> >> * Separation into the SVCB and HTTPSSVC RR Types (and separated all of the >> HTTPS-specific functionality and text to its own portion of the document). >> * Elimination of the SvcRecordType field (and making the SvcRecordType >> implicit) >> * Changing the wire format of parameters from being in Alt-Svc text format >> to a more general binary key/value pair format (with a mapping to Alt-Svc >> for HTTPSSVC). >> * Adding optional "ipv4hint" and "ipv6hint" parameters. >> * Quite a few cleanups and clarifications based on input (and we >> undoubtedly have more left to go) >> >> This retains support for all of the use-cases that the previous HTTPSSVC >> record had (such as for covering the ANAME / CNAME-at-the-zone-apex >> use-case). >> >> Feedback is most welcome. If the TLS WG is going to use this instead of a >> separate ESNI record, there is a desire to make progress on this fairy >> quickly. >> >> Erik >> >> ---------- Forwarded message --------- >> From: <internet-drafts@ietf.org> >> Date: Mon, Sep 23, 2019 at 7:01 PM >> Subject: New Version Notification for >> draft-nygren-dnsop-svcb-httpssvc-00.txt >> To: Mike Bishop <mbishop@evequefou.be>, Erik Nygren <erik+ietf@nygren.org>, >> Benjamin Schwartz <bemasc@google.com> >> >> >> >> A new version of I-D, draft-nygren-dnsop-svcb-httpssvc-00.txt >> has been successfully submitted by Benjamin Schwartz and posted to the >> IETF repository. >> >> Name: draft-nygren-dnsop-svcb-httpssvc >> Revision: 00 >> Title: Service binding and parameter specification via the DNS >> (DNS SVCB and HTTPSSVC) >> Document date: 2019-09-22 >> Group: Individual Submission >> Pages: 33 >> URL: >> https://www.ietf.org/internet-drafts/draft-nygren-dnsop-svcb-httpssvc-00.txt >> Status: >> https://datatracker.ietf.org/doc/draft-nygren-dnsop-svcb-httpssvc/ >> Htmlized: >> https://tools.ietf.org/html/draft-nygren-dnsop-svcb-httpssvc-00 >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-nygren-dnsop-svcb-httpssvc >> >> >> Abstract: >> This document specifies the "SVCB" and "HTTPSSVC" DNS resource record >> types to facilitate the lookup of information needed to make >> connections for origin resources, such as for HTTPS URLs. SVCB >> records allow an origin to be served from multiple network locations, >> each with associated parameters (such as transport protocol >> configuration and keying material for encrypting TLS SNI). They also >> enable aliasing of apex domains, which is not possible with CNAME. >> The HTTPSSVC DNS RR is a variation of SVCB for HTTPS and HTTP >> origins. By providing more information to the client before it >> attempts to establish a connection, these records offer potential >> benefits to both performance and privacy. >> >> TO BE REMOVED: This proposal is inspired by and based on recent DNS >> usage proposals such as ALTSVC, ANAME, and ESNIKEYS (as well as long >> standing desires to have SRV or a functional equivalent implemented >> for HTTP). These proposals each provide an important function but >> are potentially incompatible with each other, such as when an origin >> is load-balanced across multiple hosting providers (multi-CDN). >> Furthermore, these each add potential cases for adding additional >> record lookups in-addition to AAAA/A lookups. This design attempts >> to provide a unified framework that encompasses the key functionality >> of these proposals, as well as providing some extensibility for >> addressing similar future challenges. >> >> TO BE REMOVED: The specific name for this RR type is an open topic >> for discussion. "SVCB" and "HTTPSSVC" are meant as placeholders as >> they are easy to replace. Other names might include "B", "SRV2", >> "SVCHTTPS", "HTTPS", and "ALTSVC". >> >> >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > <0x5AB2FAF17B172BEA.asc>_______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
- [TLS] Fwd: SVCB and HTTPSSVC records: draft-nygre… Erik Nygren
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Salz, Rich
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Stephen Farrell
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Ben Schwartz
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Ilari Liusvaara
- Re: [TLS] SVCB and HTTPSSVC records: draft-nygren… Tommy Pauly
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Stephen Farrell
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Ben Schwartz
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Ilari Liusvaara
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Christopher Wood