Contact emails
dmca...@chromium.org, eric...@chromium.org
Explainer
HTTPSSVC is a new DNS resource record that contains an extensible key-value map. With HTTPSSVC, clients can obtain pre-connection information efficiently, with just one additional DNS query.
Design doc/Spec
https://tools.ietf.org/html/draft-ietf-dnsop-svcb-httpssvc-01
(TAG review N/A. This is a new DNS record type defined in the IETF DNSOP working group, not a web platform API under the W3C.)
Summary
We plan to start experimenting with HTTPSSVC as early as M82. All HTTPSSVC behavior will be guarded behind the “dns-httpssvc” feature flag.
Goals for Experimentation
We want to assess the performance impact of querying a new DNS record. When enrolled in the experiment, and only if DNS-over-HTTPS is enabled, Chromium will query HTTPSSVC alongside the standard A/AAAA records. We will collect UMA metrics to evaluate performance and UKM metrics to study query performance and reliability in the field, particularly around handling by recursive and authoritative resolvers. Any DNS responses to HTTPSSVC queries may be inspected for experiment data, but will not be used to establish connections at this time.
In a later milestone, we plan to extend this experiment and actually use the HTTPSSVC responses to inform connection establishment. We will update this thread when that milestone approaches.
Experimental Timeline
M82-M84
Any risks when the experiment finishes?
No, at this stage of experimentation, the returned records are not used to establish connections, so there is no impact on functionality.
Motivation
In the short term, HTTPSSVC will bring privacy and performance benefits when connecting to domains for the first time.
Currently, unless the scheme is specified, URLs typed into the browser’s address bar default to “http://”. This is mitigated by HSTS, but unless the site is covered by the HSTS preload list, this does not cover the first time a user visits a site. HTTPSSVC enables the browser to upgrade the URL scheme to “https://” without first making an insecure connection (assuming a secure connection, e.g. DoH, to a trusted DNS resolver).
Similarly, the first connection to an origin that supports QUIC is made over TCP. If we receive an Alt-Svc header indicating QUIC, future connections will attempt QUIC. HTTPSSVC enables QUIC on the first connection to a domain.
HTTPSSVC will also enable delegation of apex domains, which CNAME is currently incapable of expressing.
In the long term, HTTPSSVC lays the groundwork for new protocols and network-level features.
Risks
Interoperability and Compatibility
Due to compatibility concerns with DNS forwarding implementations on non-updatable legacy resolvers, we are only going to query HTTPSSVC over DoH. Chrome already avoids overwhelming low-throughput DNS forwarders by limiting the number of concurrent queries made over cleartext. Adding a new query for HTTPSSVC would eat into that budget and hurt performance. It’s also a risk that these DNS forwarders will drop queries for unknown records or break in arbitrary, unpredictable ways.
Ergonomics
While HTTPSSVC exposes no API, the purpose of this experiment is to assess the performance impact of querying HTTPSSVC records. If it has a significant performance impact, some users will experience delayed page loading.
Activation
The main challenge for developers to start using HTTPSSVC is generating and serving the appropriate records for their domains. We anticipate hosting providers and CDNs will first add automatic support for this on fully-managed domains, and then add HTTPSSVC options to existing DNS configuration UIs.
Debuggability
There is currently no precedent for debugging DNS configuration in DevTools. However, we are devoting some thought to surfacing HTTPSSVC details.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
HTTPSSVC queries will only be sent over DoH connections, thus limiting support to platforms where DoH is enabled: Windows, Mac, ChromeOS and Android.
Link to entry on the feature dashboard
https://www.chromestatus.com/feature/5948056459542528
Requesting approval to ship?
No
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGmnN46--%3D0hLEnsWK%2BcJyJese3AD%3D9vaViJB_LHrDFM73gRQA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CALjhuicC1od%3D8qenc0r1mZwOg_yGMgPnU_j%3DCEWCutnffY0pcw%40mail.gmail.com.
On Wed, Feb 12, 2020 at 9:30 AM PhistucK <phis...@gmail.com> wrote:I have no idea how this works - sorry for the dumb question - but is there a way to query A/AAAA and HTTPSVCS records in a single query?Otherwise this does not seem to be saving a lot (relatively), if you have to initiate another request anyway...
Chrome currently queries A and AAAA concurrently as separate DNS queries. HTTPSSVC will be made as a third separate but concurrent query.
☆PhistucKOn Wed, Feb 12, 2020 at 3:32 PM Jochen Eisinger <joc...@chromium.org> wrote:Do we know whether there are sufficiently many hosts with HTTPSSVC records in DNS fo this experiment to be meaningful?
The quick answer is that at the current level of standardization (format still in flux and a type code not yet assigned) there will be almost no hosts in existence with such records and even less that Chrome could recognize as valid HTTPSSVC for the experiment. But even when the response is always negative, we are experimentally interested in seeing how the ecosystem handles receiving and responding to the queries. Details coming soon in the design doc dmca...@chromium.org is working on.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CABc02_J-Ak%2B14ACUtThb-ZCThk2xnAOu5j%2BYWgYE2Zo1Phy8ZA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAMOjQcG-43s6seawYo6EOdR2csAOb9kSjj3zpyaSt4iPi8Y-Zw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAGmnN44aAM0q7W%3DXczx9qk0Jk6%2BB4ZkTP8H1Lx51ax0Mag9v9g%40mail.gmail.com.
Eric: Just to clarify, Emily asking if we would not fall back to HTTP unless the HTTPSSVC query comes back with NXDOMAIN. For instance, could the record get dropped by an on-path attacker or the DoH server itself? What would we do if there is a SERVFAIL or timeout on the HTTPSSVC query? Is it equivalent to the A/AAAA query failing?
I do agree with the assessment that the Omnibox change provides immediate value and is worth pursuing in parallel.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAMOjQcEz2B_heRdZJq7-156idtSRhs_ROsmzNb_b30VzT8_iPQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAKhd1E22ZarKQnK2SR87dgbFQ916o%3DdF6fZHnqUL5077ZWsWGQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAMOjQcEz2B_heRdZJq7-156idtSRhs_ROsmzNb_b30VzT8_iPQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CACvaWvY-LGLLQC7mCWwJW_9GWOewV2SLpz6%2BzEEvTobVZhR5_Q%40mail.gmail.com.