@jschauma@mstdn.social
@jschauma@mstdn.social avatar

jschauma

@jschauma@mstdn.social

Vell, I'm just zis guy, you know?

This profile is from a federated server and may be incomplete. Browse more on the original instance.

jschauma, to random
@jschauma@mstdn.social avatar

Hey, so #RFC9460 HTTPS/SVCB records are neat, right?

They...

  • speed up your time-to-first-packet (by basically stuffing the Alt-Svc HTTP header / ALPN TLS extension into the #DNS);
  • let you do redirection on the zone apex without using CNAMEs;
  • allow for simple DNS load distribution and failover;
  • obviate HSTS and the cumbersone preloading process;
  • enable stronger privacy protections via Encrypted Client Hello aka #ECH
jschauma,
@jschauma@mstdn.social avatar

You can find great explanations of these records elsewhere[1][2][3], but here's a quick example:

[1] https://www.isc.org/docs/2022-webinar-dns-scvb.pdf
[2] https://www.domaintools.com/resources/blog/the-use-cases-and-benefits-of-svcb-and-https-dns-record-types/
[3] https://www.sobyte.net/post/2022-01/dns-svcb-https/

jschauma,
@jschauma@mstdn.social avatar

With no A/AAAA records, you should still be able to connect directly to the service name. On the wire, that looks like so:

You'll find our HTTPS record lookup in packet 624, followed by an A record lookup in 625, and the HTTPS result in 626.

Notice that we then make a TCP connection immediately in packet 627 and begin our TLS handshake in 630, without waiting for the (empty) A record result, which finally arrives in packet 651, showing the use of the ipv4hint from the HTTPS result.

jschauma,
@jschauma@mstdn.social avatar

Note: only Safari gets this completely right as of today.

Firefox only looks up HTTPS records when using DoH, but then also does the right thing.

Chrome, on the other hand, does not (yet) support other target names, nor use the IP hints in the record:
https://bugs.chromium.org/p/chromium/issues/detail?id=1494759

jschauma,
@jschauma@mstdn.social avatar

So I was curious: just who currently uses HTTPS records?

And yes, I went ahead again and performed DNS lookups for approximately 227 million second-level domain names (e.g., example.com), then repeated the lookups, prefixing each name with 'www'. Finally, I did the same exercise once more for the Tranco Top1M domains only.

jschauma,
@jschauma@mstdn.social avatar

I found almost 10 million domain names using an HTTPS record for their 'www' service names (i.e., 4.4%), and around 9.1 million domains ( 4.0%) using the record on their bare second-level domain name; for the Top1M domains, there were around 22.5K (25.5%) for the 'www' service names, and almost 24K (25.6%) bare domains using HTTPS records:

[Pie chart showing "Presence of HTTPS records on Top1M https://media.mstdn.social/media_attachments/files/111/406/435/410/192/349/original/deefd34a0c21ce7d.png_attachments/files/111/406/435/410/192/349/original/deefd34a0c21ce7d.png)

jschauma,
@jschauma@mstdn.social avatar

The HTTPS record has the following format:

SvcPriority TargetName SvcParams

The SvcPriority field indicates the mode of the HTTPS record: 0 indicates AliasMode, any other value indicates ServiceMode.

You might expect a SvcPriority of 0 to be more frequently encountered on the bare domain names to make use of zone apex aliasing, with ServiceMode being indicated for the 'www' subdomains.

However, I found that virtually all existing HTTPS records are in ServiceMode:

jschauma,
@jschauma@mstdn.social avatar

The TargetName field also shows that early adopters of these records do not use them to redirect traffic: virtually all records have the TargetName set to '.', meaning the record owner's name is used.

One of the few exceptions is "geo-routing.nexuspipe.com." (used by >1K domains), which appears to be used by the NexusPipe Cybersecurity company for some load-balancing across different ports:

jschauma,
@jschauma@mstdn.social avatar

#RFC9460 defines the 'alpn', 'no-default-alpn', 'port', 'ipv4hint' and 'ipv6hint', and 'mandatory' SvcParamKeys. In addition, there's the 'ech' SvcParamKey for Encrypted Client Hello.

The 'mandatory' and 'no-default-alpn' are virtually unused: out of almost 10 million HTTPS records, I found exactly one instance of the 'mandatory' parameter, and 3 instances of 'no-default-alpn'.

jschauma,
@jschauma@mstdn.social avatar

The 'alpn' SvcParamKey, on the other hand, is found in >99.9% of all HTTPS records; only 7.6K do not have it set.

The most common value by far is "h3,h2", which also indicates increasing adoption of HTTP/3:

jschauma,
@jschauma@mstdn.social avatar

'ech' is virtually unused -- now. When I first collected data, Cloudflare had just announced that they enabled #ECH for all customers, and I did indeed see millions of domains with 'ech' parameters (using ~200 unique values).

However, soon after (and with decidedly less fanfare or any specific reasons given), they disabled ECH again, promising to re-enable it in "early 2024":

https://community.cloudflare.com/t/early-hints-and-encrypted-client-hello-ech-are-currently-disabled-globally/567730

jschauma, to random
@jschauma@mstdn.social avatar

Holy shit grep is slow.

zcat file.xz | time perl -ne 'print if / none /' | wc -l
74368
0.09s real 0.04s user 0.01s system

zcat file.xz | time sed -n -e '/ none /p' | wc -l
74368
0.13s real 0.08s user 0.00s system

zcat file.xz | time awk '/ none / { print }' | wc -l
74368
0.10s real 0.05s user 0.01s system

zcat file.xz | time grep ' none ' | wc -l
74368
57.98s real 22.68s user 0.01s system

jschauma,
@jschauma@mstdn.social avatar

@ParadeGrotesque I'm timing the string processing, not the decompression, so that won't make a difference. And zgrep is really actually and literally "zcat | grep": http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.bin/gzip/zgrep?rev=HEAD&content-type=text/x-cvsweb-markup&only_with_tag=MAIN

jschauma, to climate
@jschauma@mstdn.social avatar

"Governments, in aggregate, still plan to produce more than double the amount of #fossilfuels in 2030 than what would be consistent with limiting #globalwarming to 1.5Β°C. This comes despite 151 national governments having pledged to achieve net-zero emissions"

https://productiongap.org/wp-content/uploads/2023/11/PGR2023_web.pdf

"In 2030, if current projections hold, the United States will drill for more oil and gas than at any point in its history. Russia and Saudi Arabia plan to do the same."

https://www.nytimes.com/2023/11/08/climate/fossil-fuels-expanding.html

#ClimateCrisis

jschauma, to random
@jschauma@mstdn.social avatar

Looks like the .bot domain entered general availability, registrations almost doubled in the last two days.

See other stats here:
https://www.netmeister.org/tldstats/

jschauma, to random
@jschauma@mstdn.social avatar

Oh, goodie, it's "Open Enrollment" - that time of year that reminds you again how even well-off people with health insurance get fucked over by the US system, with premiums going up, HSA vs FSA vs deductible + out-of-pocket max + out-of-network vs in-network and basically having to know in advance how much you'll be spending the coming year for your entire family.

It's nuts how this sort of bullshit is just accepted as normal.

jschauma, to random
@jschauma@mstdn.social avatar

Ken Thompson's original Unix backdoor of "Reflections on Trusting Trust" fame was apparently never published. 40 years (!) later, here it is: 99 lines of code plus a 20-line shell script. That's it.

Nicely annotated and explained by Russ Cox:

https://research.swtch.com/nih

jschauma, to random
@jschauma@mstdn.social avatar

Never has a simple animation caused more frustration and delayed communications than this...

"is typing" three dots animation

jschauma, to random
@jschauma@mstdn.social avatar

Looks like Google is looking to implement something similar to Apple Private Relay, here called "IP Protection": https://groups.google.com/a/chromium.org/g/blink-dev/c/9s8ojrooa_Q

jschauma, to random
@jschauma@mstdn.social avatar

You know, in hindsight naming a DNS resource record "HTTPS" -- the same as the most ubiquitous term used in a browser context -- may not have been the best idea.

Try to get useful search results for:

"firefox https support"
"chrome https resolution order"
"curl https record"
...

(Yes, I can add "SVCB" or other words. It's still infuriatingly silly to try to search the web for "https". It's like asking in the library "Do you have any books with words?")

jschauma, to random
@jschauma@mstdn.social avatar

Also living rent-free in my head these days: this phylogenetic tree of life Total Perspective Vortex.

jschauma,
@jschauma@mstdn.social avatar

@janl You can get a high-res PDF that coverts to an SVG (pdf2svg) from here: https://www.zo.utexas.edu/faculty/antisense/DownloadfilesToL.html

Been thinking of this as a tattoo, but as shown on that page, too, the level of detail desired is difficult on skin. (Love the School of Biological Sciences wall painting though.)

jschauma, to random
@jschauma@mstdn.social avatar

Not really a hot-take but: open source projects moving public discussions from project run mailing lists or chats to commercial (albeit "free") platforms is inevitably and eventually going to backfire and we'll all lose important knowledge and content either completely or behind login-, ad-, or paywalls.

jschauma,
@jschauma@mstdn.social avatar

@janl πŸ‘

jschauma, to random
@jschauma@mstdn.social avatar

Randomly stumbled upon this, and πŸ‘.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • β€’
  • JUstTest
  • mdbf
  • ngwrru68w68
  • modclub
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • InstantRegret
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • DreamBathrooms
  • megavids
  • GTA5RPClips
  • tacticalgear
  • normalnudes
  • tester
  • osvaldo12
  • everett
  • cubers
  • ethstaker
  • anitta
  • provamag3
  • Leos
  • cisconetworking
  • lostlight
  • All magazines
    •