IETF Logo Mail Archive

Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 09 May 2017 04:29 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38D5A12704B for <dns-privacy@ietfa.amsl.com>; Mon, 8 May 2017 21:29:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.501
X-Spam-Level:
X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9f-HxdpKlLgO for <dns-privacy@ietfa.amsl.com>; Mon, 8 May 2017 21:29:55 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 6093E12025C for <dns-privacy@ietf.org>; Mon, 8 May 2017 21:29:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 81E9421CD0; Tue, 9 May 2017 07:29:52 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id OMjOooN0vwzs; Tue, 9 May 2017 07:29:52 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 3D41D27F; Tue, 9 May 2017 07:29:52 +0300 (EEST)
Date: Tue, 09 May 2017 07:29:51 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: DNS Privacy Working Group <dns-privacy@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20170509042951.GA8239@LK-Perkele-V2.elisa-laajakaista.fi>
References: <87tw51remp.fsf@fifthhorseman.net> <CAOdDvNoNPXNXzpVcX7TZX=Z++kWMBhG_+uDH3Vk1Jp8+adcHLQ@mail.gmail.com> <CAOdDvNruCCyB2rsF9VgaVEOjQGD82wA0AiLAghiGjDM0SpBFPQ@mail.gmail.com> <87lgqdr0fr.fsf@fifthhorseman.net> <BN6PR03MB27085632B5CBA7324894699487EA0@BN6PR03MB2708.namprd03.prod.outlook.com> <CABkgnnVLasxAfsezDp4H0cSOme5okHUY0ruG7EzgsNEW89SmDQ@mail.gmail.com> <87bmr9qwn7.fsf@fifthhorseman.net> <CABkgnnUgy+iD8R=WOBFb8bFWrtX=06unmiA5Ne3eEkt_KLcGxw@mail.gmail.com> <8737clqund.fsf@fifthhorseman.net> <C207AD90-62B5-4AD0-BF34-C0EA52ED5696@mnot.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <C207AD90-62B5-4AD0-BF34-C0EA52ED5696@mnot.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/8AjPU_XOmVRMhIuGX3uVXPCiqbA>
Subject: Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 May 2017 04:29:57 -0000

On Tue, May 09, 2017 at 11:20:30AM +1000, Mark Nottingham wrote:
> Hey DKG,
> 
> Throwing my .02 in, although it's similar to what you've heard from
> others upthread --
> 
> I wouldn't do this for h1; it'll be an interop nightmare. H2 gives
> you the properties you want and the implementation / testing burden
> is much more realistic.
> 
> For H2, I wouldn't use an ALPN token; define a new frame type or two
> that you can send optimistically before SETTINGS sync, stopping them
> if you don't get the right SETTING from your peer. Realistically,
> this is going to need to be configured into the client anyway, so
> there's some amount of pre-arrangement.

I don't think what you are saying is workable.

>From what I can gather, the intention for this thing DKG gave is to
be pure TLS-wrapped DNS from the client side. Any SETTINGS or otherwise
from the server breaks this. And it can not use any odd ALPN values
either.

This impiles this thing can't be used with HTTP/2, as it is both-
sides-send-first, instead of client-sends-first.

Yes, if you try this with random HTTP server, it will choke. The
intention is that the client knows via configuration that the HTTP
server is capable of DNS demux.


The schemes for riding DNS on top of HTTP or HTTP/2 framing structure
are totally different thing. Those are obviously more compatible with
HTTP/2.


-Ilari

v2.23.0 | Report a Bug | By Email