Re: HTTPSSVC record draft from Ben Schwartz on 2019-07-03 (ietf-http-wg@w3.org from July to September 2019)

From: Ben Schwartz <bemasc@google.com>
Date: Wed, 3 Jul 2019 16:21:59 -0400
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <CAHbrMsDZ2D_e2xWbNnc3CcR-Sf7oQZc+6_qRjjk=JCw3zedAKQ@mail.gmail.com>

On Wed, Jul 3, 2019 at 3:58 PM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Wed, Jul 03, 2019 at 02:45:47PM -0400, Erik Nygren wrote:
> > Ben, Mike, and I have submitted the first version of a proposal for an
> > "HTTPSSVC" DNS record.
> >
> > TL;DR:  This attempts to address a number of problems (ESNI, QUIC
> > bootstrapping, HTTP-to-HTTPS redirection via DNS, SRV-equivalent for
> HTTP,
> > etc) in a holistic manner through a new extensible DNS record, rather
> than
> > in a piecemeal fashion.  It is based on some previous proposals such as
> > "Alt-Svc in the DNS" and "Service Bindings" but takes into account
> feedback
> > received in DNSOP and elsewhere.
> >
> > Feedback is most welcome and we're looking forward to discussing with
> > people in Montreal.
> >
> > Draft link:
> >
> >       https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-01
>
> Some quick comments:
>
> - What if SvcDomainName has length different from its length field?
>   DNS wire-form names are self-delimiting (DNS message parsing relies
>   on this).
>

Thanks for the review!  The serialization format can definitely be
improved; we want to make it easy to implement and consistent with typical
DNS practices.

The current rationale for the length field is that we need some way of
distinguishing the empty name (i.e. "", meaning "absent") from a name
consisting of an empty label (i.e. ".").  I agree; there's probably a more
intuitive way to represent that.  Suggestions welcome.

> - What does it mean for SvcDomainName to be absent in alternative
>   service form? I would guess it means "same as RRNAME".
>

Sort of.  Alt-Svc has a concept of "uri-host omitted", in which case the
connection proceeds to the same host.  I think the net effect is the same.

I agree, this seems like something the draft should clarify.  We also need
to figure out what the text representation is.

> - Why there is length field for SvcFieldValue? Why not let it run to
>   the end of record?
> - 2 byte length field can encode values up to 65535, not 65536.
>   And the length of SvcFieldValue can not be that big, because
>   RRDATA and DNS message length limits (both 65535) would be hit.
>

Suggestions welcome.

> - Why 302 redirects instead of 307? 302 is frequently buggy.
>

You're right, 307 is probably closer to what we mean.

> - I-D.ietf-tls-tls13 -> RFC8446.
> - Is there any envisioned use for chained HTTPSSVC records, except
>   for type 0 record pointing to type 1 record?
>

You can also have longer chains, (0 -> 0 -> 1), but type 1 does not chain
further.

> - The MUST requirement to have only one type 0 record and then
>   SHOULD behave non-deterministically if this is violated is pretty
>   odd.
>

Agreed, we can improve that recommendation.

>
>
> -Ilari
>
>

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Wednesday, 3 July 2019 20:22:34 UTC