IETF Logo Mail Archive

Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]

Mark Nottingham <mnot@mnot.net> Tue, 09 May 2017 04:32 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2172512704B for <dns-privacy@ietfa.amsl.com>; Mon, 8 May 2017 21:32:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KdXgyRB27ET4 for <dns-privacy@ietfa.amsl.com>; Mon, 8 May 2017 21:32:27 -0700 (PDT)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61987120227 for <dns-privacy@ietf.org>; Mon, 8 May 2017 21:32:27 -0700 (PDT)
Received: from [192.168.1.18] (unknown [124.189.96.43]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 6A3C622E1F3; Tue, 9 May 2017 00:32:19 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <20170509042951.GA8239@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Tue, 09 May 2017 14:32:17 +1000
Cc: DNS Privacy Working Group <dns-privacy@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DFB46E34-A0ED-46B4-90C1-35CA7C409B65@mnot.net>
References: <87tw51remp.fsf@fifthhorseman.net> <CAOdDvNoNPXNXzpVcX7TZX=Z++kWMBhG_+uDH3Vk1Jp8+adcHLQ@mail.gmail.com> <CAOdDvNruCCyB2rsF9VgaVEOjQGD82wA0AiLAghiGjDM0SpBFPQ@mail.gmail.com> <87lgqdr0fr.fsf@fifthhorseman.net> <BN6PR03MB27085632B5CBA7324894699487EA0@BN6PR03MB2708.namprd03.prod.outlook.com> <CABkgnnVLasxAfsezDp4H0cSOme5okHUY0ruG7EzgsNEW89SmDQ@mail.gmail.com> <87bmr9qwn7.fsf@fifthhorseman.net> <CABkgnnUgy+iD8R=WOBFb8bFWrtX=06unmiA5Ne3eEkt_KLcGxw@mail.gmail.com> <8737clqund.fsf@fifthhorseman.net> <C207AD90-62B5-4AD0-BF34-C0EA52ED5696@mnot.net> <20170509042951.GA8239@LK-Perkele-V2.elisa-laajakaista.fi>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/1cXIzd64CGmRdOe5l0ZGS0KUKPA>
Subject: Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 May 2017 04:32:30 -0000

> On 9 May 2017, at 2:29 pm, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> 
> On Tue, May 09, 2017 at 11:20:30AM +1000, Mark Nottingham wrote:
>> Hey DKG,
>> 
>> Throwing my .02 in, although it's similar to what you've heard from
>> others upthread --
>> 
>> I wouldn't do this for h1; it'll be an interop nightmare. H2 gives
>> you the properties you want and the implementation / testing burden
>> is much more realistic.
>> 
>> For H2, I wouldn't use an ALPN token; define a new frame type or two
>> that you can send optimistically before SETTINGS sync, stopping them
>> if you don't get the right SETTING from your peer. Realistically,
>> this is going to need to be configured into the client anyway, so
>> there's some amount of pre-arrangement.
> 
> I don't think what you are saying is workable.
> 
> From what I can gather, the intention for this thing DKG gave is to
> be pure TLS-wrapped DNS from the client side. Any SETTINGS or otherwise
> from the server breaks this. And it can not use any odd ALPN values
> either.
> 
> This impiles this thing can't be used with HTTP/2, as it is both-
> sides-send-first, instead of client-sends-first.
> 
> Yes, if you try this with random HTTP server, it will choke. The
> intention is that the client knows via configuration that the HTTP
> server is capable of DNS demux.
> 
> 
> The schemes for riding DNS on top of HTTP or HTTP/2 framing structure
> are totally different thing. Those are obviously more compatible with
> HTTP/2.

Sorry if it wasn't clear -- what I was saying was "don't do this (DKG's proposal); do that (DNS-over-HTTP)".


--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email