W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2012

Re: #385: HTTP2 Upgrade / Negotiation

From: Eliot Lear <lear@cisco.com>
Date: Wed, 24 Oct 2012 10:41:27 +0200
Message-ID: <5087A9B7.1040009@cisco.com>
To: Mark Nottingham <mnot@mnot.net>
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>

On 10/24/12 9:48 AM, Mark Nottingham wrote:
> Can you expand upon that a bit? You mean where the successive DNS
> lookups come from different servers, or...?

The issue is additional information that Patrik is suggesting that we
use (to be fair I may have made the same suggestion without thinking it
through earlier).  So, take for instance the case where you want to look
up what the server on example.com is using.  You might have the
following SRV response:

_http2._tcp.example.com    IN    SRV 0 10 880 http2server.example.com

and additional information of

http2server.example.com    IN    A 192.0.2.1

The problem is that _http2._tcp.example.com may not be in the same zone
as http2server.example.com, and the querying resolver can't tell, simply
based on one query.  The nameserver for _http2._tcp.example.com doesn't
really have the right to make claims about anything outside its zone. 
There are common enterprise deployments in which this is in fact the
case.  Someone even asked me if it was possible NOT to have a zone cut
at _tcp....!!!

Now let's take a more nefarious example:

_http2._tcp.badguy.com    IN    SRV 0 880    mybank.com

and additional information of

mybank.com    IN    A    192.0.2.18 ;; where this address leads you to
the wrong site.

A solution to this issue is to use the same name.  That guarantees the
same authority.

Eliot
Received on Wednesday, 24 October 2012 08:42:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 24 October 2012 08:42:04 GMT