| rfc9460v6.txt | rfc9460.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) B. Schwartz | Internet Engineering Task Force (IETF) B. Schwartz | |||
| Request for Comments: 9460 Meta Platforms, Inc. | Request for Comments: 9460 Meta Platforms, Inc. | |||
| Category: Standards Track M. Bishop | Category: Standards Track M. Bishop | |||
| ISSN: 2070-1721 E. Nygren | ISSN: 2070-1721 E. Nygren | |||
| Akamai Technologies | Akamai Technologies | |||
| October 2023 | November 2023 | |||
| Service Binding and Parameter Specification via the DNS (SVCB and HTTPS | Service Binding and Parameter Specification via the DNS (SVCB and HTTPS | |||
| Resource Records) | Resource Records) | |||
| Abstract | Abstract | |||
| This document specifies the "SVCB" ("Service Binding") and "HTTPS" | This document specifies the "SVCB" ("Service Binding") and "HTTPS" | |||
| DNS resource record (RR) types to facilitate the lookup of | DNS resource record (RR) types to facilitate the lookup of | |||
| information needed to make connections to network services, such as | information needed to make connections to network services, such as | |||
| for HTTP origins. SVCB records allow a service to be provided from | for HTTP origins. SVCB records allow a service to be provided from | |||
| skipping to change at line 241 ¶ | skipping to change at line 241 ¶ | |||
| The SVCB RR has two modes: 1) AliasMode (Section 2.4.2), which | The SVCB RR has two modes: 1) AliasMode (Section 2.4.2), which | |||
| aliases a name to another name and 2) ServiceMode (Section 2.4.3), | aliases a name to another name and 2) ServiceMode (Section 2.4.3), | |||
| which provides connection information bound to a service endpoint | which provides connection information bound to a service endpoint | |||
| domain. Placing both forms in a single RR type allows clients to | domain. Placing both forms in a single RR type allows clients to | |||
| fetch the relevant information with a single query (Section 2.3). | fetch the relevant information with a single query (Section 2.3). | |||
| The SVCB RR has two required fields and one optional field. The | The SVCB RR has two required fields and one optional field. The | |||
| fields are: | fields are: | |||
| SvcPriority (Section 2.4.1): | SvcPriority (Section 2.4.1): The priority of this record (relative | |||
| The priority of this record (relative to others, with lower values | to others, with lower values preferred). A value of 0 indicates | |||
| preferred). A value of 0 indicates AliasMode. | AliasMode. | |||
| TargetName: | TargetName: The domain name of either the alias target (for | |||
| The domain name of either the alias target (for AliasMode) or the | AliasMode) or the alternative endpoint (for ServiceMode). | |||
| alternative endpoint (for ServiceMode). | ||||
| SvcParams (optional): | SvcParams (optional): A list of key=value pairs describing the | |||
| A list of key=value pairs describing the alternative endpoint at | alternative endpoint at TargetName (only used in ServiceMode and | |||
| TargetName (only used in ServiceMode and otherwise ignored). | otherwise ignored). SvcParams are described in Section 2.1. | |||
| SvcParams are described in Section 2.1. | ||||
| Cooperating DNS recursive resolvers will perform subsequent record | Cooperating DNS recursive resolvers will perform subsequent record | |||
| resolution (for SVCB, A, and AAAA records) and return them in the | resolution (for SVCB, A, and AAAA records) and return them in the | |||
| Additional section of the response (Section 4.2). Clients either use | Additional section of the response (Section 4.2). Clients either use | |||
| responses included in the Additional section returned by the | responses included in the Additional section returned by the | |||
| recursive resolver or perform necessary SVCB, A, and AAAA record | recursive resolver or perform necessary SVCB, A, and AAAA record | |||
| resolutions (Section 3). DNS authoritative servers can attach in- | resolutions (Section 3). DNS authoritative servers can attach in- | |||
| bailiwick SVCB, A, AAAA, and CNAME records in the Additional section | bailiwick SVCB, A, AAAA, and CNAME records in the Additional section | |||
| to responses for a SVCB query (Section 4.1). | to responses for a SVCB query (Section 4.1). | |||
| skipping to change at line 276 ¶ | skipping to change at line 274 ¶ | |||
| each of these alternative endpoints (Section 7). | each of these alternative endpoints (Section 7). | |||
| For HTTP use cases, the HTTPS RR (Section 9) enables many of the | For HTTP use cases, the HTTPS RR (Section 9) enables many of the | |||
| benefits of Alt-Svc [AltSvc] without waiting for a full HTTP | benefits of Alt-Svc [AltSvc] without waiting for a full HTTP | |||
| connection initiation (multiple round trips) before learning of the | connection initiation (multiple round trips) before learning of the | |||
| preferred alternative, and without necessarily revealing the user's | preferred alternative, and without necessarily revealing the user's | |||
| intended destination to all entities along the network path. | intended destination to all entities along the network path. | |||
| 1.3. Terminology | 1.3. Terminology | |||
| Our terminology is based on the common case where the SVCB record is | Terminology in this document is based on the common case where the | |||
| used to access a resource identified by a URI whose authority field | SVCB record is used to access a resource identified by a URI whose | |||
| contains a DNS hostname as the host. | authority field contains a DNS hostname as the host. | |||
| * The "service" is the information source identified by the | * The "service" is the information source identified by the | |||
| authority and scheme of the URI, capable of providing access to | authority and scheme of the URI, capable of providing access to | |||
| the resource. For "https" URIs, the "service" corresponds to an | the resource. For "https" URIs, the "service" corresponds to an | |||
| "origin" [RFC6454]. | "origin" [RFC6454]. | |||
| * The "service name" is the host portion of the authority. | * The "service name" is the host portion of the authority. | |||
| * The "authority endpoint" is the authority's hostname and a port | * The "authority endpoint" is the authority's hostname and a port | |||
| number implied by the scheme or specified in the URI. | number implied by the scheme or specified in the URI. | |||
| skipping to change at line 432 ¶ | skipping to change at line 430 ¶ | |||
| prepending the service name with a label indicating the scheme, | prepending the service name with a label indicating the scheme, | |||
| prefixed with an underscore, resulting in a domain name like | prefixed with an underscore, resulting in a domain name like | |||
| "_examplescheme.api.example.com.". This follows the Attrleaf naming | "_examplescheme.api.example.com.". This follows the Attrleaf naming | |||
| pattern [Attrleaf], so the scheme MUST be registered appropriately | pattern [Attrleaf], so the scheme MUST be registered appropriately | |||
| with IANA (see Section 11). | with IANA (see Section 11). | |||
| Protocol mapping documents MAY specify additional underscore-prefixed | Protocol mapping documents MAY specify additional underscore-prefixed | |||
| labels to be prepended. For schemes that specify a port | labels to be prepended. For schemes that specify a port | |||
| (Section 3.2.3 of [URI]), one reasonable possibility is to prepend | (Section 3.2.3 of [URI]), one reasonable possibility is to prepend | |||
| the indicated port number if a non-default port number is specified. | the indicated port number if a non-default port number is specified. | |||
| We term this behavior "Port Prefix Naming" and use it in the examples | This document terms this behavior "Port Prefix Naming" and uses it in | |||
| throughout this document. | the examples throughout. | |||
| See Section 9.1 for information regarding HTTPS RR behavior. | See Section 9.1 for information regarding HTTPS RR behavior. | |||
| When a prior CNAME or SVCB record has aliased to a SVCB record, each | When a prior CNAME or SVCB record has aliased to a SVCB record, each | |||
| RR SHALL be returned under its own owner name, as in ordinary CNAME | RR SHALL be returned under its own owner name, as in ordinary CNAME | |||
| processing ([RFC1034], Section 3.6.2). For details, see the | processing ([RFC1034], Section 3.6.2). For details, see the | |||
| recommendations regarding aliases for clients (Section 3), servers | recommendations regarding aliases for clients (Section 3), servers | |||
| (Section 4), and zones (Section 10). | (Section 4), and zones (Section 10). | |||
| Note that none of these forms alter the origin or authority for | Note that none of these forms alter the origin or authority for | |||
| skipping to change at line 463 ¶ | skipping to change at line 461 ¶ | |||
| could publish this record: | could publish this record: | |||
| svc4.example.net. 7200 IN SVCB 3 svc4.example.net. ( | svc4.example.net. 7200 IN SVCB 3 svc4.example.net. ( | |||
| alpn="bar" port="8004" ) | alpn="bar" port="8004" ) | |||
| This record would indicate that these services are served on port | This record would indicate that these services are served on port | |||
| number 8004, which supports the protocol "bar" and its associated | number 8004, which supports the protocol "bar" and its associated | |||
| transport in addition to the default transport protocol for "foo://". | transport in addition to the default transport protocol for "foo://". | |||
| (Parentheses are used to ignore a line break in DNS zone-file | (Parentheses are used to ignore a line break in DNS zone-file | |||
| presentation format ([RFC1035], Section 5.1).) | presentation format, per Section 5.1 of [RFC1035].) | |||
| 2.4. Interpretation | 2.4. Interpretation | |||
| 2.4.1. SvcPriority | 2.4.1. SvcPriority | |||
| When SvcPriority is 0, the SVCB record is in AliasMode | When SvcPriority is 0, the SVCB record is in AliasMode | |||
| (Section 2.4.2). Otherwise, it is in ServiceMode (Section 2.4.3). | (Section 2.4.2). Otherwise, it is in ServiceMode (Section 2.4.3). | |||
| Within a SVCB RRset, all RRs SHOULD have the same mode. If an RRset | Within a SVCB RRset, all RRs SHOULD have the same mode. If an RRset | |||
| contains a record in AliasMode, the recipient MUST ignore any | contains a record in AliasMode, the recipient MUST ignore any | |||
| skipping to change at line 1998 ¶ | skipping to change at line 1996 ¶ | |||
| [DNSTerm] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | [DNSTerm] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | |||
| Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, | Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, | |||
| January 2019, <https://www.rfc-editor.org/info/rfc8499>. | January 2019, <https://www.rfc-editor.org/info/rfc8499>. | |||
| [ECH] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS | [ECH] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS | |||
| Encrypted Client Hello", Work in Progress, Internet-Draft, | Encrypted Client Hello", Work in Progress, Internet-Draft, | |||
| draft-ietf-tls-esni-17, 9 October 2023, | draft-ietf-tls-esni-17, 9 October 2023, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-tls- | <https://datatracker.ietf.org/doc/html/draft-ietf-tls- | |||
| esni-17>. | esni-17>. | |||
| [FETCH] WHATWG, "Fetch Living Standard", June 2023, | [FETCH] WHATWG, "Fetch Living Standard", October 2023, | |||
| <https://fetch.spec.whatwg.org/>. | <https://fetch.spec.whatwg.org/>. | |||
| [FETCH-WEBSOCKETS] | [FETCH-WEBSOCKETS] | |||
| WHATWG, "WebSockets Living Standard", May 2023, | WHATWG, "WebSockets Living Standard", September 2023, | |||
| <https://websockets.spec.whatwg.org/>. | <https://websockets.spec.whatwg.org/>. | |||
| [HSTS] Hodges, J., Jackson, C., and A. Barth, "HTTP Strict | [HSTS] Hodges, J., Jackson, C., and A. Barth, "HTTP Strict | |||
| Transport Security (HSTS)", RFC 6797, | Transport Security (HSTS)", RFC 6797, | |||
| DOI 10.17487/RFC6797, November 2012, | DOI 10.17487/RFC6797, November 2012, | |||
| <https://www.rfc-editor.org/info/rfc6797>. | <https://www.rfc-editor.org/info/rfc6797>. | |||
| [HTTP-DNS-RR] | [HTTP-DNS-RR] | |||
| Bellis, R., "A DNS Resource Record for HTTP", Work in | Bellis, R., "A DNS Resource Record for HTTP", Work in | |||
| Progress, Internet-Draft, draft-bellis-dnsop-http-record- | Progress, Internet-Draft, draft-bellis-dnsop-http-record- | |||
| skipping to change at line 2042 ¶ | skipping to change at line 2040 ¶ | |||
| [URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
| Resource Identifier (URI): Generic Syntax", STD 66, | Resource Identifier (URI): Generic Syntax", STD 66, | |||
| RFC 3986, DOI 10.17487/RFC3986, January 2005, | RFC 3986, DOI 10.17487/RFC3986, January 2005, | |||
| <https://www.rfc-editor.org/info/rfc3986>. | <https://www.rfc-editor.org/info/rfc3986>. | |||
| Appendix A. Decoding Text in Zone Files | Appendix A. Decoding Text in Zone Files | |||
| DNS zone files are capable of representing arbitrary octet sequences | DNS zone files are capable of representing arbitrary octet sequences | |||
| in basic ASCII text, using various delimiters and encodings, | in basic ASCII text, using various delimiters and encodings, | |||
| according to an algorithm defined in Section 5.1 of [RFC1035]. Here, | according to an algorithm defined in Section 5.1 of [RFC1035]. The | |||
| we summarize some allowed inputs to that algorithm, using ABNF: | following summarizes some allowed inputs to that algorithm, using | |||
| ABNF: | ||||
| ; non-special is VCHAR minus DQUOTE, ";", "(", ")", and "\". | ; non-special is VCHAR minus DQUOTE, ";", "(", ")", and "\". | |||
| non-special = %x21 / %x23-27 / %x2A-3A / %x3C-5B / %x5D-7E | non-special = %x21 / %x23-27 / %x2A-3A / %x3C-5B / %x5D-7E | |||
| ; non-digit is VCHAR minus DIGIT. | ; non-digit is VCHAR minus DIGIT. | |||
| non-digit = %x21-2F / %x3A-7E | non-digit = %x21-2F / %x3A-7E | |||
| ; dec-octet is a number 0-255 as a three-digit decimal number. | ; dec-octet is a number 0-255 as a three-digit decimal number. | |||
| dec-octet = ( "0" / "1" ) 2DIGIT / | dec-octet = ( "0" / "1" ) 2DIGIT / | |||
| "2" ( ( %x30-34 DIGIT ) / ( "5" %x30-35 ) ) | "2" ( ( %x30-34 DIGIT ) / ( "5" %x30-35 ) ) | |||
| escaped = "\" ( non-digit / dec-octet ) | escaped = "\" ( non-digit / dec-octet ) | |||
| contiguous = 1*( non-special / escaped ) | contiguous = 1*( non-special / escaped ) | |||
| skipping to change at line 2142 ¶ | skipping to change at line 2141 ¶ | |||
| | include* | | | | include* | | | |||
| +--------------------------+----------------------+ | +--------------------------+----------------------+ | |||
| Table 3 | Table 3 | |||
| Appendix C. Comparison with Alternatives | Appendix C. Comparison with Alternatives | |||
| The SVCB and HTTPS RR types closely resemble, and are inspired by, | The SVCB and HTTPS RR types closely resemble, and are inspired by, | |||
| some existing record types and proposals. One complaint regarding | some existing record types and proposals. One complaint regarding | |||
| all of the alternatives is that web clients have seemed | all of the alternatives is that web clients have seemed | |||
| unenthusiastic about implementing them. The hope here is that by | unenthusiastic about implementing them. The hope here is that an | |||
| providing an extensible solution that solves multiple problems we | extensible solution that solves multiple problems will overcome this | |||
| will overcome this inertia and have a path to achieve client | inertia and have a path to achieve client implementation. | |||
| implementation. | ||||
| C.1. Differences from the SRV RR Type | C.1. Differences from the SRV RR Type | |||
| An SRV record [SRV] can perform a function similar to that of the | An SRV record [SRV] can perform a function similar to that of the | |||
| SVCB record, informing a client to look in a different location for a | SVCB record, informing a client to look in a different location for a | |||
| service. However, there are several differences: | service. However, there are several differences: | |||
| * SRV records are typically mandatory, whereas SVCB is intended to | * SRV records are typically mandatory, whereas SVCB is intended to | |||
| be optional when used with pre-existing protocols. | be optional when used with pre-existing protocols. | |||
| skipping to change at line 2410 ¶ | skipping to change at line 2408 ¶ | |||
| \x00\x10 # priority | \x00\x10 # priority | |||
| \x03foo\x07example\x03org\x00 # target | \x03foo\x07example\x03org\x00 # target | |||
| \x00\x01 # key 1 | \x00\x01 # key 1 | |||
| \x00\x0c # param length 12 | \x00\x0c # param length 12 | |||
| \x08 # alpn length 8 | \x08 # alpn length 8 | |||
| f\oo,bar # alpn value | f\oo,bar # alpn value | |||
| \x02 # alpn length 2 | \x02 # alpn length 2 | |||
| h2 # alpn value | h2 # alpn value | |||
| Figure 10: An alpn Value with an Escaped Comma and an Escaped | Figure 10: An "alpn" Value with an Escaped Comma and an Escaped | |||
| Backslash in Two Presentation Formats | Backslash in Two Presentation Formats | |||
| D.3. Failure Cases | D.3. Failure Cases | |||
| This subsection contains test vectors that are not compliant with | This subsection contains test vectors that are not compliant with | |||
| this document. The various reasons for non-compliance are explained | this document. The various reasons for non-compliance are explained | |||
| with each example. | with each example. | |||
| example.com. SVCB 1 foo.example.com. ( | example.com. SVCB 1 foo.example.com. ( | |||
| key123=abc key123=def | key123=abc key123=def | |||
| End of changes. 12 change blocks. | ||||
| 26 lines changed or deleted | 24 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||