Re: draft-ietf-httpbis-rfc6265bis - preliminary questions for IETF dnsdir review from Mark Nottingham on 2025-02-15 (ietf-http-wg@w3.org from January to March 2025)

From: Mark Nottingham <mnot@mnot.net>
Date: Sat, 15 Feb 2025 11:05:18 +1100
To: Petr Špaček <pspacek@isc.org>
Cc: draft-ietf-httpbis-rfc6265bis.all@ietf.org, "dnsdir@ietf.org" <dnsdir@ietf.org>, ietf-http-wg@w3.org, Geoff Huston <gih@apnic.net>
Message-Id: <ADEEA536-BC8F-4CB1-BCF2-062334422EDF@mnot.net>

Hi Petr,

I think you're looking for this:
  https://url.spec.whatwg.org/

Cheers,


> On 15 Feb 2025, at 4:44 am, Petr Špaček <pspacek@isc.org> wrote:
> 
> Hello.
> 
> I have to say the more I dig into this area the more I'm confused.
> 
> Could authors clarify for me, a HTTP noob, what are possible inputs for algorithm described in
> > 5.1.2. Canonicalized Host Names
> 
> In other words, who are callers and consumers of this algorithm?
> 
> 
> Second question:
> Is it standardized somewhere wow is an user input (e.g. typing in a URL manually, or clicking to a link) get converted into Host portion of Authority field specified in RFC 3986 section 3.2/RFC 9110 section 4.3.1?
> 
> 
> I'm trying to shed light on relation between this generic conversion mechanism (which presumably exists), this specific draft under review, RFC 6055, RFC 8222, and the real world.
> 
> 
> A simple test on a modern Linux installation indicates this might be broken already in the HTTP-world, but I want to understand this for real before hand-waving the problem away.
> 
> (beware, non-ASCII stuff follows)
> 
> $ grep hosts /etc/nsswitch.conf
> hosts: files dns
> 
> $ tail -n1 /etc/hosts
> 2001:db8::5 háčkyčárk.cz
> 
> $ getent hosts háčkyčárk.cz
> 2001:db8::5 háčkyčárk.cz
> 
> So far so good. Name service switch did its job.
> 
> $ curl http://háčkyčárk.cz/
> curl: (6) Could not resolve host: xn--hkyrk-xqac36ac.cz
> 
> Not good at all. Judging by quick GDB excursion into guts of curl, it has converted URL into A-labels prematurely (before reaching dns module in the NSS).
> 
> That is a nice example of a problem explained in RFC 6055 page 6, i.e. doing format conversions at a wrong layer.
> 
> Now the main question:
> Should this problem be baked into the Cookies spec? Should we try to fix it? Or perhaps only document there _is_ a problem?
> 
> Thank you for your thoughts.
> 
> Petr Špaček
> 
> 
> 
> On 25. 01. 25 4:27, Mark Nottingham wrote:
>> This may be helpful for context:
>>   https://httpwg.org/specs/rfc9110.html#authoritative.access
>> Cheers,
>>> On 25 Jan 2025, at 1:48 am, Petr Špaček <pspacek@isc.org> wrote:
>>> 
>>> Hello everyone.
>>> 
>>> I was assigned as the dnsdir reviewer for draft-ietf-httpbis-rfc6265bis.
>>> For more information about the DNS Directorate, please see
>>> https://wiki.ietf.org/en/group/dnsdir
>>> 
>>> I have a question before I start with real review:
>>> 
>>> What is the intended interaction with non-DNS naming systems?
>>> 
>>> I'm not an HTTP expert, but I would guess that anything in Name Service Switch equivalent on a given operating system will become entangled in the cookie Domain attribute business.
>>> 
>>> Just from top of my head
>>> - DNS
>>> - /etc/hosts equivalent
>>> - Tor onion.
>>> - GNUnet
>>> - NetBIOS
>>> - LLMNR
>>> - mDNS
>>> - (Let's not go any further...)
>>> 
>>> Yes, it is a mine field. I'm trying to find out how generic the name formatting text + security considerations should be because right now it mentions 'DNS' in couple places.
>>> 
>>> Thank you for your time.
> 
> -- 
> Petr Špaček

--
Mark Nottingham   https://www.mnot.net/

Received on Saturday, 15 February 2025 00:05:27 UTC