Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-nygren-dnsop-svcb-httpssvc-00
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 24 September 2019 14:32 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 948CE12008D for <tls@ietfa.amsl.com>; Tue, 24 Sep 2019 07:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v9VM6VPxLZd9 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2019 07:32:41 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72F0812001A for <tls@ietf.org>; Tue, 24 Sep 2019 07:32:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C4C2DBE39; Tue, 24 Sep 2019 15:32:38 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5CcJaAvWcKWr; Tue, 24 Sep 2019 15:32:38 +0100 (IST)
Received: from [134.226.36.93] (unknown [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 7D53ABE20; Tue, 24 Sep 2019 15:32:38 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1569335558; bh=9uie6nTPG/XaduXxUz+HrP2r2fedCYRCoIRaSyvBeKo=; h=To:References:From:Subject:Date:In-Reply-To:From; b=lqcYatjmuP2xlWuJwdeSifcNVZGLg4MwKCSDUpDIGdvuDEaoplxP4YWzc2VAOB1Bq 7/eReOvVuYdR8ywZ17xciA2Op8TrZeheLDWXJAnxhbgmtN8mBi0sy25kppAcAxQSBg 380WbEZQGbmku+7u3Y2v/0bzQThauGXISHYPtjdc=
To: Erik Nygren <erik+ietf@nygren.org>, tls@ietf.org, Ben Schwartz <bemasc@google.com>, Mike Bishop <mbishop@evequefou.be>
References: <156927967091.17209.1946223190141713793.idtracker@ietfa.amsl.com> <CAKC-DJi4EHz5CCAqRj_cYTVygiuo0s2QGaPLCct6e9Bh1mXaXQ@mail.gmail.com> <CAKC-DJgUt-H4-EQ3pvBL8_-UEUty3kQwTyh_Adtp3ORtiZOySg@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <571a9639-304f-8c30-efe4-d472bfd2631f@cs.tcd.ie>
Date: Tue, 24 Sep 2019 15:32:34 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <CAKC-DJgUt-H4-EQ3pvBL8_-UEUty3kQwTyh_Adtp3ORtiZOySg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="FBxvpUrHEviRcEpKnAACHjDGJjOKWybs6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZHzD3kQtdY_RtSoYg-O3Y-EXP6s>
Subject: Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-nygren-dnsop-svcb-httpssvc-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2019 14:32:45 -0000
Hi Erik, FWIW, if browsers preferred this to an ESNI RR and we could forget the ESNI RR then I'd be ok with that. I'm not clear if they do or not though. In the meantime, assuming this went ahead instead of or in addition to an ESNI RR, I've a few questions below... On 24/09/2019 14:21, Erik Nygren wrote: > Following the discussions in Montreal (as well as with some of the ESNI > authors), > we refactored the HTTPSSVC draft to make it more general. The hope is that > it could be an alternative (or replace the need) for a distinct ESNI record. So I think the basic ESNI case where there's no name changes nor alt-svc etc would be as below in presentation syntax, am I reading that right? example.com. 7200 IN HTTPSSVC 0 . ( esnikeys="/wHrAh..." ) I'm also not clear if that's the exact same as: example.com. 7200 IN SVCB 0 . ( esnikeys="/wHrAh..." ) ...is it? If so, which'd be preferred or would clients be expected to be able to handle both? And I don't get why two ways to say the same thing are useful. Secondly, ESNIKeys currently supports versions, multiple keys, cipher_suites, extensions and even dns_extensions. And we could have >1 rrdata for ESNI or for SCVB/HTTPSSVC. Would you envisage adoption of SVCB/HTTPSSVC meaning that we could drop some of the generality that's present in ESNIKeys? If so, what? I'd like if ESNIKeys were made simpler FWIW, so if this had that effect, then I'd be more for it. If, OTOH, this just added complexity (for a library implementing ESNI), which currently seems to be the case, then it'd be less attractive, to me at least. (I guess I'm agreeing with Rich there:-) Thanks, S. > The draft generalizes to a protocol-agnostic SVCB record, but also specifies > an HTTPSSVC record for the HTTP(S) use-case. > > Based on discussions with various chairs, the plan is to call for adoption > in the DNSOP WG. > > Comments/feedback are most welcome. > > Erik > > > ---------- Forwarded message --------- > From: Erik Nygren <erik+ietf@nygren.org> > Date: Tue, Sep 24, 2019 at 9:17 AM > Subject: SVCB and HTTPSSVC records: draft-nygren-dnsop-svcb-httpssvc-00 > To: dnsop WG <dnsop@ietf.org>, Ben Schwartz <bemasc@google.com>, Mike > Bishop <mbishop@evequefou.be> > > > Following discussions around the "HTTPSSVC" record proposal in Montreal > with the DNSOP, HTTP and TLS WGs, we've updated what was previously > "draft-nygren-httpbis-httpssvc-03". The new version is > "draft-nygren-dnsop-svcb-httpssvc-00". This incorporates much of the > feedback from the WG discussions, as well as feedback from discussions with > the TLS WG (as we'd like to see this replace the need for a separate ESNI > record). > > In particular, it generalizes the record into a new "SVCB" record which > doesn't have any protocol-specific semantics. It also defines an > "HTTPSSVC" record that is compatible with SVCB (sharing a wire-format and > parameter registry) and which defines the HTTP(S)-specific semantics such > as bindings to Alt-Svc. Other protocols can either define bindings > directly to SVCB or can define their own RR Type (which should only ever be > needed if there is a need to use the record at a zone apex). > > We'd like to see this adopted by the DNSOP WG. Until then, issues and PRs > can go against: https://github.com/MikeBishop/dns-alt-svc > > Major changes from "draft-nygren-httpbis-httpssvc-03" include: > > * Separation into the SVCB and HTTPSSVC RR Types (and separated all of the > HTTPS-specific functionality and text to its own portion of the document). > * Elimination of the SvcRecordType field (and making the SvcRecordType > implicit) > * Changing the wire format of parameters from being in Alt-Svc text format > to a more general binary key/value pair format (with a mapping to Alt-Svc > for HTTPSSVC). > * Adding optional "ipv4hint" and "ipv6hint" parameters. > * Quite a few cleanups and clarifications based on input (and we > undoubtedly have more left to go) > > This retains support for all of the use-cases that the previous HTTPSSVC > record had (such as for covering the ANAME / CNAME-at-the-zone-apex > use-case). > > Feedback is most welcome. If the TLS WG is going to use this instead of a > separate ESNI record, there is a desire to make progress on this fairy > quickly. > > Erik > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org> > Date: Mon, Sep 23, 2019 at 7:01 PM > Subject: New Version Notification for > draft-nygren-dnsop-svcb-httpssvc-00.txt > To: Mike Bishop <mbishop@evequefou.be>, Erik Nygren <erik+ietf@nygren.org>, > Benjamin Schwartz <bemasc@google.com> > > > > A new version of I-D, draft-nygren-dnsop-svcb-httpssvc-00.txt > has been successfully submitted by Benjamin Schwartz and posted to the > IETF repository. > > Name: draft-nygren-dnsop-svcb-httpssvc > Revision: 00 > Title: Service binding and parameter specification via the DNS > (DNS SVCB and HTTPSSVC) > Document date: 2019-09-22 > Group: Individual Submission > Pages: 33 > URL: > https://www.ietf.org/internet-drafts/draft-nygren-dnsop-svcb-httpssvc-00.txt > Status: > https://datatracker.ietf.org/doc/draft-nygren-dnsop-svcb-httpssvc/ > Htmlized: > https://tools.ietf.org/html/draft-nygren-dnsop-svcb-httpssvc-00 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-nygren-dnsop-svcb-httpssvc > > > Abstract: > This document specifies the "SVCB" and "HTTPSSVC" DNS resource record > types to facilitate the lookup of information needed to make > connections for origin resources, such as for HTTPS URLs. SVCB > records allow an origin to be served from multiple network locations, > each with associated parameters (such as transport protocol > configuration and keying material for encrypting TLS SNI). They also > enable aliasing of apex domains, which is not possible with CNAME. > The HTTPSSVC DNS RR is a variation of SVCB for HTTPS and HTTP > origins. By providing more information to the client before it > attempts to establish a connection, these records offer potential > benefits to both performance and privacy. > > TO BE REMOVED: This proposal is inspired by and based on recent DNS > usage proposals such as ALTSVC, ANAME, and ESNIKEYS (as well as long > standing desires to have SRV or a functional equivalent implemented > for HTTP). These proposals each provide an important function but > are potentially incompatible with each other, such as when an origin > is load-balanced across multiple hosting providers (multi-CDN). > Furthermore, these each add potential cases for adding additional > record lookups in-addition to AAAA/A lookups. This design attempts > to provide a unified framework that encompasses the key functionality > of these proposals, as well as providing some extensibility for > addressing similar future challenges. > > TO BE REMOVED: The specific name for this RR type is an open topic > for discussion. "SVCB" and "HTTPSSVC" are meant as placeholders as > they are easy to replace. Other names might include "B", "SRV2", > "SVCHTTPS", "HTTPS", and "ALTSVC". > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Fwd: SVCB and HTTPSSVC records: draft-nygre… Erik Nygren
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Salz, Rich
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Stephen Farrell
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Ben Schwartz
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Ilari Liusvaara
- Re: [TLS] SVCB and HTTPSSVC records: draft-nygren… Tommy Pauly
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Stephen Farrell
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Ben Schwartz
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Ilari Liusvaara
- Re: [TLS] Fwd: SVCB and HTTPSSVC records: draft-n… Christopher Wood