On Mon, Mar 9, 2020 at 10:32 PM Paul Vixie <p...@redbarn.org> wrote: > On Monday, 9 March 2020 20:56:39 UTC Ben Schwartz wrote: > > It occurs to me that I hit "publish" on this draft without updating the > > release notes, so I'll mention some of the many changes since -01 here > > instead: > > > > ... > > > > As always, please review and send comments. We also expect to do a > > presentation on this draft (remotely) in the DNSOP session. > > i propose that section 6.2 for "port", and all references to same, be > removed. >
We discussed this some on one of our authors' calls following my seeing you allude to this a few weeks ago. The rationale for keeping port is that HTTPS is not just about the "web" use-case. While for Web use-cases it is common for most things to always tcp/443, there are plenty of non-"Web" use-cases (such as API calls in data centers, service meshes, etc.) where non-standard ports are commonly used. I know that Tim keeps highlighting a desire to make sure we consider these use-cases. There's a default when port is left out (perhaps that should be clarified better?) but there are cases when being able to switch to an alternate port has value. Another case where this applies is QUIC/UDP where udp/443 is commonly used but where operators may wish to situationally use different ports. Adding a warning that the use of non-default ports could have operational challenges might be warranted. (There are also some confused deputy risks around non-default ports for servers that don't validate the port in the Host header, but others convinced me that that's a problem for another day.) A closely related issue is this one: https://github.com/MikeBishop/dns-alt-svc/issues/111 (regarding clarifying the default port.) Does this help address the concern? It's helpful to know the historical context. Erik > this is: > > --- > > 6.2. "port" > > The "port" SvcParamKey defines the TCP or UDP port that should be > used to contact this alternative service. > > The presentation format of the SvcParamValue is a numeric value > between 0 and 65535 inclusive. Any other values (e.g. the empty > value) are syntax errors. > > The wire format of the SvcParamValue is the corresponding 2 octet > numeric value in network byte order. > > === > > in the SRV RR (from RFC 2782) we specified a port number as part of the > RData > because a client would otherwise have to have an up-to-date /etc/services > file > (or local equivalent) to know what (TCP) port number a listener would > listen > on, and this seemed archaic. > > for HTTPSSVC and SVCB, the service is a constant (HTTPS) and its transport > layer port number (443) is known. inviting listener operators to specify a > different port number will result in unpredictable (other than > wide-spread) > failures for those accessors behind NAT, firewalls, or ALG's. > > please leave out this legacy from DNS SRV as you go forward with HTTPSSVC. > > -- > Paul > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop