Early Review of draft-ietf-tls-wkech-04
review-ietf-tls-wkech-04-artart-early-thomson-2024-04-01-00
Request | Review of | draft-ietf-tls-wkech |
---|---|---|
Requested revision | No specific revision (document currently at 06) | |
Type | Early Review | |
Team | ART Area Review Team (artart) | |
Deadline | 2024-04-15 | |
Requested | 2024-04-01 | |
Requested by | Sean Turner | |
Authors | Stephen Farrell , Rich Salz , Benjamin M. Schwartz | |
I-D last updated | 2024-04-01 | |
Completed reviews |
Artart Early review of -04
by Martin Thomson
(diff)
Opsdir Early review of -04 by Tim Chown (diff) Dnsdir Early review of -04 by David Blacka (diff) |
|
Assignment | Reviewer | Martin Thomson |
State | Completed | |
Request | Early review on draft-ietf-tls-wkech by ART Area Review Team Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/art/Kx-V0Z16lxsupbG1XoQuP2Pa84g | |
Reviewed revision | 04 (document currently at 06) | |
Result | Not ready | |
Completed | 2024-04-01 |
review-ietf-tls-wkech-04-artart-early-thomson-2024-04-01-00
This document describes how an HTTP origin can publish information about its ECH configuration so that other nodes can aid it in setting up the DNS records necessary to run DNS. Issues: Most of the document talks about having the back-end servers produce content for the well-known resource, but there is mention of other servers being involved as well. ECH depends on having shared configuration at the client-facing side for servers, so any configuration process should probably involve something different. That is, having each server produce information about its own (perceived) configuration, with the zone factory being responsible for synthesizing the information from each into a coherent whole. In that design, a back-end server would indicate that they are using a shared client-facing server, and point to it. The client-facing server would supply its ECH configuration (which might be different for different back-end servers). There are cases where a client-facing server might be able to produce the content for a back-end server, so that a single resource could make sense. That might lead to the design we see, but that is not obviously correct for all aspects of the design. The current design involves publishing information for a multitude of ECHConfigList values and multiple target names (and ports). It is not obvious that it is safe to have one origin speak for multiple others in this way or what conditions might be necessary to have that happen safely. If there is a validation process involved, that might work. The process in S6 is too loose for me to be confident in that being sufficient. The design for publishing alias records is something I cannot decipher at all. There's a description of the field, but no real supporting material for that. The different deployment options need to be more clearly articulated in support of different modes of use, along with any validation that is needed. It might be the case that the design is fundamentally sound, but it isn't clear to me that this is true. Nits: Titles are not sentences. Lose the period. S1, typo: ECHConflgList Use of the term "front-end" and "back-end" is likely confusing for some consumers of this specification. Front-end overwhelmingly refers to the development of web-facing content, whereas back-end refers to the development of servers and services. Why not use client-facing as the ECH specification does? S3, please avoid using things like "cronjob". Periodic is fine and doesn't presume the use of a particular tool. S3, typo: regularaly S4: > The well-known URI defined here MUST be an https URL and therefore the ZF verifies the correct BE is being accessed. If no new ECH value resulting "works," then the zone factory SHOULD NOT modify the zone. This is two very different concepts in the one paragraph. The first is about authenticating the content at the .w-k resource. The second is about validating it. There is no segue between the two. Maybe you could say "The ZF MUST validate any ECHConfig that it obtains before publishing information to the DNS zone." Also, avoid "scare quotes" and say what you mean by "works". > Note that a consequence of the URL above is that back-ends that wish to use different ECH settings are very likely to have to use different "DocRoot" settings. What is DocRoot? (Really. I don't know what this means.) More generally, I would prefer a use case or goal-motivated structure to the document than a format-based one. That is, consider answering some questions: what information would a back-end server produce? what would a front-end produce? what would you include (and validate) if you wanted to have aliases?