alt-svc is quite robust to reachability failures of the alternative origins should some client find itself on a network that filters full transit.
This process is already existing technology (rfc 7838). From that perspective the DNS record is just a way to bootstrap it over DNS rather than the default host/port for the URI. -Patrick On Tue, Mar 10, 2020 at 12:24 PM Paul Vixie <p...@redbarn.org> wrote: > On Tuesday, 10 March 2020 13:30:53 UTC Patrick McManus wrote: > > another positive feature of ports in this record is that it provides some > > address space independent of the origin security model of the URI. By > this > > I mean that https://www.foo.com(implicit :443) and > https://www.foo.com:555 > > are different origins with different web security boundaries. While two > > different httpssvc records for 443 and 555 (both for https:// > www.foo.com) > > are in the same origin.. this level of indirection can be used for A/B > > testing or even for encoding load balancing information in a IP > constrained > > space. Just like the address is distinct from the URL, the port separates > > the 'what' from the 'how' and that's good. > > your reply above precisely demonstrates the risk offered by allowing a > service > operator to select a non-default port. please read my down-thread response > to > erik nygren and consider the non-reachability impacts of such selection on > far > edge managed private networks, who will only build NAT, AGM, or firewall > flow > state for permitted (in-policy) flows. > > there's a separate problem on retermination, but i'll address that in > quic-wg. > > -- > Paul > > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
