In message <54A81E9A(_dot_)1020700(_at_)cisco(_dot_)com>, Eliot Lear writes:
Hi Patrik,
On 1/3/15 4:49 PM, Patrik Fältström wrote:
On 3 jan 2015, at 15:32, MÃ¥ns Nilsson
<mansaxel(_at_)besserwisser(_dot_)org>
wrote:
I strongly support incorporating SRV record support in the HTTPbis
specification.
FWIW, I am also in favor or SRV, although I (being biased) think "how
to use URI with HTTP2" would not be a bad addition either[1].
We do though have multiple discussions like these, that I do not think
really conclude:
<https://news.ycombinator.com/item?id=8404612>
Because of this, what I think IS (at least) needed in the http2 spec
are a few words about DNS. Else the discussions will just continue and
continue...
One could for example say something like:
"If the URI does not include a path (only consists of scheme and
authority, which in turn include domain), a client MIGHT look up either
SRV record _http._tcp.domain or URI for the same owner_http._tcp.domain
and act on the result of those lookups according to the SRV and URI spec
respectively."
And then reference some "happy eyeballs" specification on how to do it
in detail.
There there was a fuller discussion about this in the WG about two years
ago, and then again last year. As John pointed out there are a few more
issues, one of which is that the release philosophy taken by the WG is
that there is some expectation that HTTP2 will not be the last version
released, and some additions may come sooner than later. This presents
several problems for SRV. First, as a matter of IANA policy we don't
normally allocate more than one name for the same service, no matter the
version. This is something of a sore point, and a general one at that.
One would really like to be able to pass some initial protocol parameter
information back as part of a DNS query such that the information could
be reasonably cached (oh, say versioning?). I am not convinced that the
WG has a full handle on this with the various header games being
considered, but there was a fair bit of discussion about this as well a
while back, and there are some tradeoffs to be made, like binding the
information tightly to the connection and all of its attendant
properties. Also, tying versioning of any form into the DNS where the
different versions have different security properties makes the solution
dependent on DNSSEC. I'm ALL for DNSSEC, but as there are alternatives
that don't require it, it's not the draw we would like in this case.
And no, you needn't preach to the choir on this point: it really SHOULD
be a draw because it provides huge possibilities for doing all sorts of
fun application initialization, but I digress.
Second, even if we did handle versioning in SRV, there are known to be
residential gateways out there that can't handle very many parallel DNS
queries, and so we run into a loss problem.
SRV doesn't require lots of parallel DNS queries. I suspect in
most cases there would be a single SRV record pointing to the hosting
service. There is only a single CNAME record pointing to the hosting
service today.
If one needs versioned HTTP / HTTPS records
Finally, to address MÃ¥ns' comments, additional data for the target
doesn't get signed (but correct me if I missed a change).
Additional data is returned with RRSIGs and always has been. Glue
records are not signed but that is not what we are talking about
here.
An example with a MX record and with a MX target's address records
in the cache. I cut out the NS RRset and the additional record
related to it and their RRSIGs.
% dig mx isc.org +dnssec
; <<>> DiG 9.11.0pre-alpha <<>> mx isc.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11360
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 17
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org. IN MX
;; ANSWER SECTION:
IsC.org. 7165 IN MX 10 mx.ams1.isc.org.
IsC.org. 7165 IN MX 10 mx.pao1.isc.org.
IsC.org. 7165 IN RRSIG MX 5 2 7200 20150201123610
20150102123610 4521 isc.org.
AV82lsdjjsKFOIjlw74l6Q/MSxnApZkbtsHFtYrPBybm/argxDVuWE76
SlCsZv6oL9a8wVBQ5+K6snhwfy7YUbvDVe6RUbEwt+/o85F442Vk/6zc
XEu/A23sYyK/uX4X1yCU3wSldtGn65InBjXAyuLgngGogUCdSKMenyoa 2wk=
;; AUTHORITY SECTION:
[Cut]
;; ADDITIONAL SECTION:
mx.pao1.IsC.org. 3581 IN A 149.20.64.53
[cut]
mx.pao1.IsC.org. 3586 IN AAAA 2001:4f8:0:2::2b
[cut]
mx.pao1.IsC.org. 3581 IN RRSIG A 5 4 3600 20150128233258
20141229233258 2781 pao1.isc.org.
yjA8uFr2Et7ciHsTs7JZzelqfPgaP7NAYJZpc5BJ3S4cB/jV7oqU5IJu
jOuEuvjxNCMMTDGe0OFTXWZkWxxd3EHkRH9K32U7OaGell9ztUokiV4W
Ny5wIa5RtLGDVVKEEfIG+EqU9AhrTDK8xR1Gygd4IYb6xUKFo9Nb+KHY YSg=
mx.pao1.IsC.org. 3586 IN RRSIG AAAA 5 4 3600 20150128233258
20141229233258 2781 pao1.isc.org.
Ar1Y++KzlS+ub7AsQRKymQe1cCs2vqVkLr57MSEg/KvVq93iD9J12nj/
ARo/occj9rCC3NFTI0vJSYokeuz02PovUKB4y53dH0CemaOvTKMxVvNi
sCq+E66H7F+R9y6yWFxnjpQIGRv1c822pF7XDtEyXwwesZLNxAPFI9ns AEI=
[cut]
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jan 04 08:28:30 EST 2015
;; MSG SIZE rcvd: 2071
%
Now if one actually wants to signal which version of HTTP are
supported in the DNS then actual HTTP records would be the way to
go containing flags, version, preference, weight, port and target.
HTTP flags version preference weight port target
flags: 16 bits
SECURE (https available)
version: txt field
preference: 16 bits
weigth: 16 bits
port: 16 bits
target: domain
and say that if the target is a CNAME that the CNAME will be added
to the additional section and that it will be followed. One could
even have HTTP indicate that targets SHOULD be fetched before
returning.
(Actually,
one of things I wanted from DPRIVE was the ability to handle multiple
questions in the same transaction, but alas, probably not.) In
addition, with caching times down to small numbers of minutes for many
sites (or less), we probably can't say that this is a simple 1st
transaction cost. What's more many enterprises do a zone cut at
_tcp.example.com, and it is not uncommon to see TCP connections for
those transactions (I know at least one network administrator who
thought it was unheard of *not* to do a zone cut and delegation at
_tcp). To address a bunch of these issues I had posited a record [1]
that actually made use of the same QNAME, but it really is quite (dare
the author say overly?) complex.
So what if they do a zone cut? That doesn't stop the recursive server
caching the results and combining them.
And this leads us back to performance. I personally do not have an
answer for what acceptable performance is in these circumstances. And
so some experimentation would really REALLY be good. Is 100 ms for this
feature acceptable? 30? 80? 200? I really can't say, and there was no
desire in the WG to go this far. I will say that Cisco has an open RFP
for related work if any researchers want to take the challenge.[2]
Eliot
[1] http://tools.ietf.org/html/draft-lear-httpbis-svcinfo-rr
[2]
http://www.cisco.com/web/about/ac50/ac207/crc_new/university/RFP/rfp13077.
html
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org