On Apr 21, 2021, at 11:58 AM, Ben Schwartz <bemasc=40google....@dmarc.ietf.org<mailto:bemasc=40google....@dmarc.ietf.org>> wrote:
On Wed, Apr 21, 2021 at 1:24 PM Wellington, Brian <bwelling=40akamai....@dmarc.ietf.org<mailto:40akamai....@dmarc.ietf.org>> wrote: Yes, I think that sentence should be changed. I’d suggest removing the "malformed SvcParamValues” part, but others may disagree. I agree that a URL is a tricky case. The spec writer might not want to include an ABNF representation of a valid URL, because implementors would likely want to use existing facilities to parse URLs, which are likely not consistent. In that case, though, I would expect the spec to indicate that the field is a bytestring, and the resolver to be able to that. The fact that it’s a URL is something that the client should be checking. But surely by this standard all fields are bytestrings? They’re all sequences of bytes, sure. But all of the defined parameters do have syntactic structure, and resolvers should be allowed to do the same level of syntactic checking for SVCB/HTTPS records as they do for records of other types. If there’s checking which is clearly out of the scope of the document (like URL validation), that is fundamentally different than checks like “the IPv6 address is 16 bytes”. For the existing parameters, there are checks that can (and should) be made; that IPv4 addresses, IPv6 addresses, and ports are of appropriate length, that the ALPN field has the right length prefix, and that the mandatory field is ordered and has a valid length. There are also checks which are not specified, and which a client may want to do, but are not part of the record format itself. I wouldn’t expect a recursive resolver to reject a record containing an ipv4hint with the address 255.255.255.255, but that doesn’t mean that a client should try to connect to it. It sounds like you are suggesting that we distinguish between "how the resolver should parse the value" and "how the client should parse the value" ... but the value is meaningless to the resolver, so there is no particular sense in which the resolver should parse it. This is not like JSON, where an intermediary might check that the value of the "url" key is a string, without checking whether it is a valid URL. All SvcParamValues are opaque bytestrings unless you know how to parse them. Again, there is a difference between syntax and semantics. The resolver should be allowed to check that something conforms to the syntax specified in the spec, even if it doesn’t use the value. Resolvers do not use the contents of most DNS record types, other than the ones which are used part of the DNS protocol itself (NS, A, AAAA, and the DNSSEC records). That does not mean that it shouldn’t check the formats of other known records when possible. I do not think that it should be required that a resolver is able to convey malformed records, where malformed is (only) referring to the syntactic content. That’s not how resolvers work for other types; no resolvers have options to allow 5 byte A records. Similarly, there's no requirement here that resolvers be able to convey a syntactically invalid SvcParams structure (i.e. truncated TLV). The requirement is that resolvers are, in general, able to convey records even if a SvcParamValue does not appear to be valid according to the key's specification. This is particularly relevant for multipurpose codebases that can act as both recursive and authoritative (or client). Such codebases must contain full SvcParam validation logic for all recognized SvcParamKeys, but they must be able to bypass it in recursive mode to avoid ossification. This is absolutely not true. Once the format of an rdata type (or a subtype, like an SVCB parameter) is defined, it must not change. The authors of this spec surely know this, as there was a lot of discussion about the incompatibility of the echconfig->ech change, and how something like this could never happen in a standardized type. A correctly implemented resolver should never reject a valid parameter as invalid, and if there is a need to change what the definition of a valid parameter is, that requires defining a new parameter type. This is not a requirement that resolvers always pass through these invalid values, and in many cases (e.g. "port") the validation is sufficiently trivial that enforcing it poses minimal compatibility risk. However, I think this is worth highlighting because, in my own implementation, it was easiest to enforce full validation for all recognized keys (present and future) during recursive resolution, and some extra effort was required to make sure that invalid values could pass through. It’s a requirement that recursive resolvers introduce new behavior to allow the avoidance of format validation for SVCB records. You’re free to implement that in your own code, but it’s an onerous requirement for other implementors. Changing the text to: Recursive resolvers MUST be able to convey SVCB records with unrecognized SvcParamKeys, and MAY be able to convey SVCB records with malformed SvcParamValues. would be fine with me, and I’d ignore the MAY part. Brian On Apr 21, 2021, at 10:00 AM, Ben Schwartz <bemasc=40google....@dmarc.ietf.org<mailto:bemasc=40google....@dmarc.ietf.org>> wrote: On Wed, Apr 21, 2021 at 12:44 PM Wellington, Brian <bwelling=40akamai....@dmarc.ietf.org<mailto:40akamai....@dmarc.ietf.org>> wrote: I’m not a fan of the new text in section 4.3: Recursive resolvers MUST be able to convey SVCB records with unrecognized SvcParamKeys or malformed SvcParamValues. It is perfectly reasonable for a recursive resolver to reject any malformed DNS record. There’s a significant difference between “malformed” and “unknown”. A recursive resolver should definitely allow records with unknown SvcParamKeys, but if the format of a record is known, a resolver should be allowed (encouraged, in fact) to check that it conforms to that format. The concern here was about differing interpretations of future standards. For example, if some SvcParamValue is defined as a URL (for some future key), implementations are likely to disagree about whether certain bytestrings are valid URLs. (There are several definitions and a zillion edge cases.) The resolver has no use for these values, so the most compatible behavior is to treat them as opaque bytestrings. We very deliberately chose the phrase "MUST be able to convey" to recognize that resolvers might be configured not to convey a record with a malformed value, but it should be possible. Do you think we should change this sentence?
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
