[DNSOP] Fwd: HTTPSSVC record draft

Mon, 08 Jul 2019 02:01:45 -0700

For those not paying attention to the HTTP-bis working group, this DNS RR was proposed there last week.
It appears to subsume the ALT-SVC proposal and also covers the use case I had in mind with my HTTP Record draft (i.e. CNAME at the apex). 


Given that it has someone from at least major browser vendor supporting 
it there's some hope that this will actually be implemented by them.  It 
therefore seems my draft is probably no longer required.  Hopefully 
ANAME will follow it the same way ;-)


Ray

-------- Forwarded Message --------
Subject:        HTTPSSVC record draft
Resent-Date:    Wed, 03 Jul 2019 18:46:25 +0000
Resent-From:    ietf-http...@w3.org
Date:   Wed, 3 Jul 2019 14:45:47 -0400
From:   Erik Nygren <erik+i...@nygren.org>

To: 	ietf-http...@w3.org Group <ietf-http...@w3.org>, Mike Bishop 
<mbis...@evequefou.be>, Erik Nygren <erik+i...@nygren.org>, Benjamin 
Schwartz <bem...@google.com>, Erik Nygren - Work <nyg...@akamai.com>






Ben, Mike, and I have submitted the first version of a proposal for an 
"HTTPSSVC" DNS record.



TL;DR:  This attempts to address a number of problems (ESNI, QUIC 
bootstrapping, HTTP-to-HTTPS redirection via DNS, SRV-equivalent for 
HTTP, etc) in a holistic manner through a new extensible DNS record, 
rather than in a piecemeal fashion.  It is based on some previous 
proposals such as "Alt-Svc in the DNS" and "Service Bindings" but takes 
into account feedback received in DNSOP and elsewhere.



Feedback is most welcome and we're looking forward to discussing with 
people in Montreal.


Draft link:

https://tools.ietf.org/html/draft-nygren-httpbis-httpssvc-01



 From the abstract:


This document specifies an "HTTPSSVC" DNS resource record type to 
facilitate the lookup of information needed to make connections for 
HTTPS URIs.  The HTTPSSVC DNS RR mechanism allows an HTTPS origin 
hostname to be served from multiple network services, each with 
associated parameters (such as transport protocol and keying material 
for encrypting TLS SNI).  It also provides a solution for the inability 
of the DNS to allow a CNAME to be placed at the apex of a domain name.  
Finally, it provides a way to indicate that the origin supports HTTPS 
without having to resort to redirects, allowing clients to remove HTTP 
from the bootstrapping process.



By allowing this information to be bootstrapped in the DNS, it allows 
for clients to learn of alternative services before their first contact 
with the origin.  This arrangement offers potential benefits to both 
performance and privacy.



This proposal is inspired by and based on recent DNS usage proposals 
such as ALTSVC, ANAME, and ESNIKEYS (as well as long standing desires to 
have SRV or a functional equivalent implemented for HTTP).  These 
proposals each provide an important function but are potentially 
incompatible with each other, such as when an origin is load-balanced 
across multiple hosting providers (multi-CDN). Furthermore, these each 
add potential cases for adding additional record lookups in-addition to 
AAAA/A lookups.  This design attempts to provide a unified framework 
that encompasses the key functionality of these proposals, as well as 
providing some extensibility for addressing similar future challenges.


--

Some likely FAQs (with some others listed in an appendix):

Q: Why this is HTTP-specific?

A: This is because every protocol has different bootstrap requirements.  
This draft is concerned with improving the efficiency and security of 
bootstrapping HTTPS connections.  This proposal does offer room for 
non-HTTPS protocols, but the nature of DNS requires underscore prefixing 
to support protocol-keyed answers within a single RRTYPE. It's also 
unlikely that a single RR format would be the ideal bootstrap mechanism 
for every protocol, and there's no reason that multiple protocols should 
have to share an RRTYPE.

Q: Why is ESNI addressed directly?

A: This helps make a major motivation of this draft more clear.  
Splitting out those sections to a separate-but-associated "alt-svc 
attribute for ESNI keys" draft might make sense, but keeping it here 
helps work through some of the issues together.


Q: Why does this try to address the HSTS case?

A: This is a unique opportunity to fix HTTPS bootstrap and avoid 
providing insecure defaults.  We'd originally proposed a separate 
Alt-Svc attribute to indicate hsts-style behavior, but then realized 
that it would make sense to push on that as the default here.


Best, Erik

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop






















					Reply via email to