[dispatch] New proposed work: DNS over HTTPS

Paul Hoffman <paul.hoffman@icann.org> Fri, 16 June 2017 20:34 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5ADAA131867 for <dispatch@ietfa.amsl.com>; Fri, 16 Jun 2017 13:34:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.203
X-Spam-Status: No, score=-4.203 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id MCw7EiWbv-3F for <dispatch@ietfa.amsl.com>; Fri, 16 Jun 2017 13:34:53 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63525127869 for <dispatch@ietf.org>; Fri, 16 Jun 2017 13:34:53 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org ( by PMBX112-W1-CA-2.pexch112.icann.org ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 16 Jun 2017 13:34:51 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1178.000; Fri, 16 Jun 2017 13:34:50 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: "dispatch@ietf.org" <dispatch@ietf.org>
Thread-Topic: New proposed work: DNS over HTTPS
Thread-Index: AQHS5uAAFeia1c+5vE2BTU0fwZxcsg==
Date: Fri, 16 Jun 2017 20:34:50 +0000
Message-ID: <52CA02A7-705D-4D5E-AC1D-FB0B02BB4305@icann.org>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5A91F026E3BA024E8ECF7122ACBAA3C5@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/A8dxUG3--rE1pxrJJgzxPfNoERg>
Subject: [dispatch] New proposed work: DNS over HTTPS
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2017 20:34:55 -0000

Greetings. We would like to propose that the work on DNS over HTTPS that is  currently embodied in the individual draft https://tools.ietf.org/html/draft-hoffman-dns-over-https-01 be dispatched at IETF 99.

The work has been discussed for the last nine months on the IETF-sponsored mailing list at https://www.ietf.org/mailman/listinfo/dnsoverhttp and was at the core of a bar bof in Seoul attended by around 80 people with a general consensus that standardization would benefit this space. I understand the draft should be resubmitted with the dispatch naming convention and will be very soon.

This seems to us to be an Application protocol, but the httpbis WG generally does not take on how-to-use HTTP (that is, "foo over HTTP" work items), so dispatch's help in progressing the work would be appreciated. We emphasize that we seek work consistent with the goals of this previous work (and believe it to be a strong starting point), but the actual protocol specification is of course a matter of IETF consensus not pre-determined by that draft.

As a bit of background, the Internet of course does not always provide good end-to-end reachability for DNS transport and this is especially true when using confidential and integrity transports for DNS. On-path network devices may spoof DNS responses, block DNS requests, track DNS activity, or just redirect DNS queries to different DNS servers that give less-than-honest answers.

This work focuses on interacting with DNS servers, not just using encapsulation as a tunnel. Using secure HTTPS provides an alternative transport option and also provides a mechanism for obtaining and using DNS data in web browsers, both natively and in security contexts governed by the Same-Origin security policy.

Another clear goal of the approach is to be a good fit for the HTTP protocol: good answers for caching, support for an ecosystem of different media types (such as both traditional DNS framing and more web-friendly things like JSON), and leverage of the multiplexing and prioritization schemes modern HTTP can provide.

Use of HTTPS is very common, of course, and the ability to use an established connection to carry DNS information can provide both performance and confidentiality benefits over other approaches in circumstances when HTTPS is the prominent transport available. This proposal should not be considered exclusive or competitive with the valuable mechcanisms of the drive WG.

Paul and Patrick