Re: HTTPSSVC record draft

> On 4 Jul 2019, at 6:21 am, Ben Schwartz <bemasc@google.com> wrote:
> 
> 
> 
> On Wed, Jul 3, 2019 at 3:58 PM Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> On Wed, Jul 03, 2019 at 02:45:47PM -0400, Erik Nygren wrote:
> > Ben, Mike, and I have submitted the first version of a proposal for an
> > "HTTPSSVC" DNS record.
> > 
> > TL;DR:  This attempts to address a number of problems (ESNI, QUIC
> > bootstrapping, HTTP-to-HTTPS redirection via DNS, SRV-equivalent for HTTP,
> > etc) in a holistic manner through a new extensible DNS record, rather than
> > in a piecemeal fashion.  It is based on some previous proposals such as
> > "Alt-Svc in the DNS" and "Service Bindings" but takes into account feedback
> > received in DNSOP and elsewhere.
> > 
> > Feedback is most welcome and we're looking forward to discussing with
> > people in Montreal.
> > 
> > Draft link:
> > 
> >       https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-01
> 
> Some quick comments:
> 
> - What if SvcDomainName has length different from its length field?
>   DNS wire-form names are self-delimiting (DNS message parsing relies
>   on this).
> 
> Thanks for the review!  The serialization format can definitely be improved; we want to make it easy to implement and consistent with typical DNS practices.
> 
> The current rationale for the length field is that we need some way of distinguishing the empty name (i.e. "", meaning "absent") from a name consisting of an empty label (i.e. ".").  I agree; there's probably a more intuitive way to represent that.  Suggestions welcome.]

Why not have “." mean “same host”?  “.” isn’t otherwise a sane value for type 2.
No service can be indicated by '1 0 . “”’.

> - What does it mean for SvcDomainName to be absent in alternative
>   service form? I would guess it means "same as RRNAME".
> 
> Sort of.  Alt-Svc has a concept of "uri-host omitted", in which case the connection proceeds to the same host.  I think the net effect is the same.
> 
> I agree, this seems like something the draft should clarify.  We also need to figure out what the text representation is.
>  
> - Why there is length field for SvcFieldValue? Why not let it run to
>   the end of record?
> - 2 byte length field can encode values up to 65535, not 65536. 
>   And the length of SvcFieldValue can not be that big, because
>   RRDATA and DNS message length limits (both 65535) would be hit.
> 
> Suggestions welcome.
>  
> - Why 302 redirects instead of 307? 302 is frequently buggy.
> 
> You're right, 307 is probably closer to what we mean.
>  
> - I-D.ietf-tls-tls13 -> RFC8446.
> - Is there any envisioned use for chained HTTPSSVC records, except
>   for type 0 record pointing to type 1 record?
> 
> You can also have longer chains, (0 -> 0 -> 1), but type 1 does not chain further.
>  
> - The MUST requirement to have only one type 0 record and then
>   SHOULD behave non-deterministically if this is violated is pretty
>   odd.
> 
> Agreed, we can improve that recommendation.
>  
> 
> 
> -Ilari

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

Received on Friday, 5 July 2019 03:21:38 UTC