nsd users - Jan 2023 - how do I add an SVCB record to NSD

@ jeroen

thanks for your pointers, managed to create valid entries (quotes matter,
nsd-checkzone doesn't warn, dig result than says: ;; Got bad packet: extra
input data)

testzone, dummy IPs:

doh IN A 192.169.254.4
doh IN AAAA 2a02:1810:4d27:290f::aa01

;## HTTPS
httpsipv4 IN HTTPS 1 . alpn=h3,h2,http/1.1 dohpath="/dns-query{?dns}"
port=443 ipv4hint="192.169.254.4"
httpsipv6 IN HTTPS 1 . alpn=h3,h2,http/1.1 dohpath="/dns-query{?dns}"
port=443 ipv6hint="2a02:1810:4d27:290f::aa01"
httpsip IN HTTPS 1 . alpn=h3,h2,http/1.1 dohpath="/dns-query{?dns}"
port=443 ipv4hint="192.169.254.4"
ipv6hint="2a02:1810:4d27:290f::aa01"

;## SVCB
svcbipv4 IN SVCB 1 doh alpn=h3,h2,http/1.1 dohpath="/dns-query{?dns}"
port=443 ipv4hint="192.169.254.4"
svcbipv6 IN SVCB 1 doh alpn=h3,h2,http/1.1 dohpath="/dns-query{?dns}"
port=443 ipv6hint="2a02:1810:4d27:290f::aa01"
svcbip IN SVCB 1 doh alpn=h3,h2,http/1.1 dohpath="/dns-query{?dns}"
port=443 ipv4hint="192.169.254.4"
ipv6hint="2a02:1810:4d27:290f::aa01"

I don't get it yet, It looks like you can do the same, using HTTPS and SVCB
records. What is the difference, since the query replies provide identical
information?

Thanks for your time and effort
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20230106/9fda36ec/attachment.htm>

Hi Peter,

The format for SVCB and HTTPS RRs is the same, but the HTTPS rrtype is
reserved for use with the http and https URI schemes and implies some
values. I only worried about parsing it successfully for now, so I
don't know all the details, but
https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-11.html#https
should answer that question in more detail(?)

nsd-checkzone mostly checks if it can successfully parse the record, so
mostly syntax, but it does check some semantics. The SVCB zone format
is a little weird because it introduces some syntax changes. There has
been some discussion on the syntax, but yes, quotes matter.
>From the top of my head, you're allowed to specify either key=value or
key="value", but not
key<space+>=<space+>"value". Depending on the
value, you need to quote it. Presumably, there's also some weirdness
around double escaping wrt alpn values and comma's, but the details
escape me.

- Jeroen


On Fri, 2023-01-06 at 13:30 +0100, Peter Russel via nsd-users
wrote:
> @ jeroen
> 
> thanks for your pointers, managed to create valid entries (quotes
> matter, nsd-checkzone doesn't warn, dig result than says: ;; Got bad
> packet: extra input data)
> 
> testzone, dummy IPs:
> 
> doh IN A 192.169.254.4
> doh IN AAAA 2a02:1810:4d27:290f::aa01
> 
> ;## HTTPS
> httpsipv4 IN HTTPS 1 . alpn=h3,h2,http/1.1
dohpath="/dns-query{?dns}"
> port=443 ipv4hint="192.169.254.4"
> httpsipv6 IN HTTPS 1 . alpn=h3,h2,http/1.1
dohpath="/dns-query{?dns}"
> port=443 ipv6hint="2a02:1810:4d27:290f::aa01"
> httpsip IN HTTPS 1 . alpn=h3,h2,http/1.1
dohpath="/dns-query{?dns}"
> port=443 ipv4hint="192.169.254.4"
> ipv6hint="2a02:1810:4d27:290f::aa01"
> 
> ;## SVCB
> svcbipv4 IN SVCB 1 doh alpn=h3,h2,http/1.1
dohpath="/dns-query{?dns}"
> port=443 ipv4hint="192.169.254.4"
> svcbipv6 IN SVCB 1 doh alpn=h3,h2,http/1.1
dohpath="/dns-query{?dns}"
> port=443 ipv6hint="2a02:1810:4d27:290f::aa01"
> svcbip IN SVCB 1 doh alpn=h3,h2,http/1.1
dohpath="/dns-query{?dns}"
> port=443 ipv4hint="192.169.254.4"
> ipv6hint="2a02:1810:4d27:290f::aa01"
> 
> I don't get it yet, It looks like you can do the same, using HTTPS
> and SVCB records. What is the difference, since the query replies
> provide identical information?
> 
> Thanks for your time and effort
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users