< draft-nygren-httpbis-httpssvc-00.txt   draft-nygren-httpbis-httpssvc-01.txt >
HTTP Working Group B. Schwartz HTTP Working Group B. Schwartz
Internet-Draft Google Internet-Draft Google
Intended status: Standards Track M. Bishop Intended status: Standards Track M. Bishop
Expires: January 4, 2020 E. Nygren Expires: January 4, 2020 E. Nygren
Akamai Technologies Akamai Technologies
July 3, 2019 July 3, 2019
HTTPSSVC service location and parameter specification via the DNS (DNS HTTPSSVC service location and parameter specification via the DNS (DNS
HTTPSVC) HTTPSSVC)
draft-nygren-httpbis-httpssvc-00 draft-nygren-httpbis-httpssvc-01
Abstract Abstract
This document specifies an "HTTPSSVC" DNS resource record type to This document specifies an "HTTPSSVC" DNS resource record type to
facilitate the lookup of information needed to make connections for facilitate the lookup of information needed to make connections for
HTTPS URIs. The HTTPSSVC DNS RR mechanism allows an HTTPS origin HTTPS URIs. The HTTPSSVC DNS RR mechanism allows an HTTPS origin
hostname to be served from multiple network services, each with hostname to be served from multiple network services, each with
associated parameters (such as transport protocol and keying material associated parameters (such as transport protocol and keying material
for encrypting TLS SNI). It also provides a solution for the for encrypting TLS SNI). It also provides a solution for the
inability of the DNS to allow a CNAME to be placed at the apex of a inability of the DNS to allow a CNAME to be placed at the apex of a
skipping to change at page 4, line 10 skipping to change at page 4, line 10
Handling situations beyond this within the DNS requires learning Handling situations beyond this within the DNS requires learning
additional information, and it is highly desirable to minimize the additional information, and it is highly desirable to minimize the
number of round-trip and lookups required to learn this additional number of round-trip and lookups required to learn this additional
information. information.
1.1. Introductory Example 1.1. Introductory Example
As an introductory example, a set of example HTTPSSVC and associated As an introductory example, a set of example HTTPSSVC and associated
A+AAAA records might be: A+AAAA records might be:
www.example.com. 2H IN CNAME svc.example.net. www.example.com. 2H IN CNAME svc.example.net.
example.com. 2H IN HTTPSVC 0 0 svc.example.net. example.com. 2H IN HTTPSSVC 0 0 svc.example.net.
svc.example.net. 2H IN HTTPSVC 1 2 svc3.example.net. "hq=\":8003\" \ svc.example.net. 2H IN HTTPSSVC 1 2 svc3.example.net. "hq=\":8003\" \
esnikeys=\"...\"" esnikeys=\"...\""
svc.example.net. 2H IN HTTPSVC 1 3 svc2.example.net. "h2=\":8002\" \ svc.example.net. 2H IN HTTPSSVC 1 3 svc2.example.net. "h2=\":8002\" \
esnikeys=\"...\"" esnikeys=\"...\""
svc2.example.net. 300 IN A 192.0.2.2 svc2.example.net. 300 IN A 192.0.2.2
svc2.example.net. 300 IN AAAA 2001:db8::2 svc2.example.net. 300 IN AAAA 2001:db8::2
svc3.example.net. 300 IN A 192.0.2.3 svc3.example.net. 300 IN A 192.0.2.3
svc3.example.net. 300 IN AAAA 2001:db8::3 svc3.example.net. 300 IN AAAA 2001:db8::3
In the preceding example, both of the "example.com" and In the preceding example, both of the "example.com" and
"www.example.com" origin names are aliased to use service endpoints "www.example.com" origin names are aliased to use service endpoints
offered as "svc.example.net" (with "www.example.com" continuing to offered as "svc.example.net" (with "www.example.com" continuing to
use a CNAME alias). HTTP/2 is available on a cluster of machines use a CNAME alias). HTTP/2 is available on a cluster of machines
located at svc2.example.net with TCP port 8002 and HTTP/3 is located at svc2.example.net with TCP port 8002 and HTTP/3 is
available on a cluster of machines located at svc3.example.net with available on a cluster of machines located at svc3.example.net with
UDP port 8003. An ESNI key is specified which allows the SNI values UDP port 8003. An ESNI key is specified which allows the SNI values
of "example.com" and "www.example.com" to be encrypted in the of "example.com" and "www.example.com" to be encrypted in the
handshake with these service endpoints. When connecting, clients handshake with these service endpoints. When connecting, clients
skipping to change at page 5, line 18 skipping to change at page 5, line 18
as "example.com") for HTTPS traffic, and generally enables as "example.com") for HTTPS traffic, and generally enables
delegation of operational authority for an HTTPS origin within the delegation of operational authority for an HTTPS origin within the
DNS to an alternate name. This addresses a set of long-standing DNS to an alternate name. This addresses a set of long-standing
issues due to HTTP(S) clients not implementing support for SRV issues due to HTTP(S) clients not implementing support for SRV
records, as well as due to a limitation that a DNS name can not records, as well as due to a limitation that a DNS name can not
have both a CNAME record as well as NS RRs (as is the case for have both a CNAME record as well as NS RRs (as is the case for
zone apex names) zone apex names)
1.3. Overview of the HTTPSSVC RR 1.3. Overview of the HTTPSSVC RR
This subsection briefly describes the HTTPSVC RR in a non-normative This subsection briefly describes the HTTPSSVC RR in a non-normative
manner. manner.
The HTTPSSVC RR has four primary fields: The HTTPSSVC RR has four primary fields:
1. SvcRecordType: A numeric flag indicating how to interpret the 1. SvcRecordType: A numeric flag indicating how to interpret the
subsequent fields. When "0", it indicates that the RR contains subsequent fields. When "0", it indicates that the RR contains
an alias. When "1", it indicates that the RR contains an an alias. When "1", it indicates that the RR contains an
alternative service definition. alternative service definition.
2. SvcFieldPriority: The priority of this record (relative to 2. SvcFieldPriority: The priority of this record (relative to
skipping to change at page 5, line 48 skipping to change at page 5, line 48
alternative service endpoint for the domain name specified in alternative service endpoint for the domain name specified in
SvcDomainName (only when SvcRecordType is "1" and otherwise SvcDomainName (only when SvcRecordType is "1" and otherwise
empty). empty).
Cooperating DNS recursive resolvers will perform subsequent record Cooperating DNS recursive resolvers will perform subsequent record
resolution (for HTTPSSVC, A, and AAAA records) and return them in the resolution (for HTTPSSVC, A, and AAAA records) and return them in the
Additional Section of the response. Clients must either use Additional Section of the response. Clients must either use
responses included in the additional section returned by the responses included in the additional section returned by the
recursive resolver or perform necessary HTTPSSVC, A, and AAAA record recursive resolver or perform necessary HTTPSSVC, A, and AAAA record
resolutions. DNS authoritative servers may attach in-bailiwick resolutions. DNS authoritative servers may attach in-bailiwick
HTTPSVC, A, AAAA, and CNAME records in the Additional Section to HTTPSSVC, A, AAAA, and CNAME records in the Additional Section to
responses for an HTTPSVC query. responses for an HTTPSSVC query.
When SvcRecordType is "1", the HTTPSSVC RR extends the concept When SvcRecordType is "1", the HTTPSSVC RR extends the concept
introduced in the HTTP Alternative Services proposed standard introduced in the HTTP Alternative Services proposed standard
[AltSvc]. Alt-Svc defines: [AltSvc]. Alt-Svc defines:
o an extensible data model for describing alternative network o an extensible data model for describing alternative network
endpoints that are authoritative for an origin endpoints that are authoritative for an origin
o the "Alt-Svc Field Value", a text format for representing this o the "Alt-Svc Field Value", a text format for representing this
information information
skipping to change at page 9, line 13 skipping to change at page 9, line 13
"alternative service form". "alternative service form".
2.4. HTTPSSVC records: alias form 2.4. HTTPSSVC records: alias form
When SvcRecordType is "0", the HTTPSSVC record is to be treated When SvcRecordType is "0", the HTTPSSVC record is to be treated
similar to a CNAME alias pointing to the domain name specified in similar to a CNAME alias pointing to the domain name specified in
SvcDomainName. HTTPSSVC RRSets MUST only have a single resource SvcDomainName. HTTPSSVC RRSets MUST only have a single resource
record in this form. If multiple are present, clients or recursive record in this form. If multiple are present, clients or recursive
resolvers SHOULD pick one non-determinstically. resolvers SHOULD pick one non-determinstically.
The common use-case for this form of the HTTPSVC record is as an The common use-case for this form of the HTTPSSVC record is as an
alternative to CNAMEs at the zone apex where they are not allowed. alternative to CNAMEs at the zone apex where they are not allowed.
For example, if an operator of https://example.com wanted to point For example, if an operator of https://example.com wanted to point
HTTPS requests to a service operating at svc.example.net, they would HTTPS requests to a service operating at svc.example.net, they would
publish a record such as: publish a record such as:
example.com. 3600 IN HTTPSSVC 0 0 svc.example.net. example.com. 3600 IN HTTPSSVC 0 0 svc.example.net.
The SvcDomainName MUST point to a domain name that contains another The SvcDomainName MUST point to a domain name that contains another
HTTPSSVC record and/or address (AAAA and/or A) records. HTTPSSVC record and/or address (AAAA and/or A) records.
 End of changes. 5 change blocks. 
16 lines changed or deleted 16 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/