On Nov 22, 2016, at 2:52 PM, Ted Lemon <mellon(_at_)fugue(_dot_)com> wrote:
I assume y'all have read RFC 6763…
I have, but $dayjob i run routers not write web browsers :-)
The key here is there are tools to do this, but it requires changing the
ecosystem in how all these http transactions occur. As a network operator this
is a transparent change to me, and our DNS servers will just see the different
QTYPE launched, similar to how we see both A+AAAA queries from the applications
our customers operate.
The problem is as usual is educating people to move from functions like
gethostbyname() to getaddrinfo() and what it would take to move people beyond
the registry for port ranges, etc.. should the decision be made to go there.
I suspect nothing will change, but the indirection would help with issues seen
in the DNSBUNDLED BoF held at IETF-97. It would not exclusively resolve them,
but would help in ways that DNAME and other RRTypes have not.
it’s way easier to so sin.port=(80||443); vs using dnssd related functions or
doing res_query and parsing the types.
When we do DDoS mitigation and appliances send 302 to force authentication of
the client there are many people who rolled their own HTTP API and didn’t
implement following of the redirect and break. We’ve been asked to then turn
off the mitigation techniques if there is no good control over the calling API
implementers who just claim “$Application is broken” vs “We didn’t think we
needed to follow the entire HTTP specification, because we rarely see that case”
These are mostly human issues around code re-use, poor or outdated examples and
commonly repeated myths combined with actual broken devices that fall into that
1% threshold I mentioned previously.
- Jared