IETF Logo Mail Archive

Re: [dns-privacy] Review request: draft-btw-dprive-rfc8484-clarification

Ben Schwartz <bemasc@google.com> Tue, 08 September 2020 19:31 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F1643A0EAB for <dns-privacy@ietfa.amsl.com>; Tue, 8 Sep 2020 12:31:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AOv_6Jj8I94P for <dns-privacy@ietfa.amsl.com>; Tue, 8 Sep 2020 12:31:45 -0700 (PDT)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37C7B3A0EA4 for <dns-privacy@ietf.org>; Tue, 8 Sep 2020 12:31:45 -0700 (PDT)
Received: by mail-il1-x12d.google.com with SMTP id p13so50324ils.3 for <dns-privacy@ietf.org>; Tue, 08 Sep 2020 12:31:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=o5V/vkCEHHYZKod4RofLQgYiBub/L+eNZpDMcDqO65I=; b=SCdTrZkfr1S/DTuC56FitWXwjH348QQxj6sfK0xSdsAfIzgqZGUWnBoj2A1iIqpIW+ RVYCyg7qgOB4xqrKswdf7Jm3ah0LzFdBLoLJJrOeylM/65NpdyhDVTzwWKtTE2tp5N8f 3W9kyz7CjqepAMn59khAFUprUP1Aze6X8PysSdPpiK0subQOD3tRjlzaFRWoZwDNVHI+ /J2QQMIRCbMPWv9i7plKbNrVbhgkbKLd+W7NUTmXwfhlzo8D8LbtTLKTCbxSMvKW7iLo di31wclSLtl3IUohHkys0m4nNP5JPm5Ws4NWP7jCB/zKMbnUo7YHfMt/3Pp4Md/OItg+ rr9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=o5V/vkCEHHYZKod4RofLQgYiBub/L+eNZpDMcDqO65I=; b=IO9jeFpTBr6ko/e5r7kVDt/iwhRAN97DJ0Sxj5TiAanHnHCZGl7i27W3PDAycx8y2m Oqv7qPVeU9enabsGR9tSqOXbI52+A5t4y1ZG86gS8lOSyExC60o2jLu9FmvVXYemXxZQ j55HjdbWdvi+14toh4YOOrMPqWYdivEtYlKTCitHiKsvbOs/TIqXgFYKokwpVz2IoSDO 0FJ6UBb7uQ1zdPjuvm30qPnzhFAcnPuK2CfmYGV3AXeYSJh9W30QPM/HA6noObgBJdD6 1yZ06rEFjs/2ONBR2TdTeSx5jyQy6xyOTTYqHDPQ11mEFBI5a1NhdEkEB08KumZDSdE1 DFTA==
X-Gm-Message-State: AOAM532GvyU0+5WmI31Foow/imVs5O2tECqX/PeS28rU6sZqv298gnsM LV8IAfJDJtTTKVHGCTlSAx6NZ/mzsHFk+ZBvINyrbA==
X-Google-Smtp-Source: ABdhPJw4KtwlHPJxcbHdP3p4F3yThGvII/9xSqzrisDCcKwf6HBy2Hkz7Qa/xdY8JjnSFCkJtmaHPpok1wlGB1uB6VU=
X-Received: by 2002:a92:15c5:: with SMTP id 66mr335654ilv.44.1599593504132; Tue, 08 Sep 2020 12:31:44 -0700 (PDT)
MIME-Version: 1.0
References: <6e071da2-4281-d525-03ba-4d6dfc843a76@innovationslab.net> <CAHbrMsB7T+5Y=2n4LfcXwyAZQSnK4x72R44_2mCDsLhh_zD9Vw@mail.gmail.com> <8C6ABDA8-9A0E-44BB-AE23-43F97AF29730@noware.co.uk> <CAHbrMsD2y0o+uV9eiAb32_=6ZYwAUoS_zM5+T97SxnHzxB05bQ@mail.gmail.com> <0799B139-E353-4EC7-9340-87CE00C465AA@noware.co.uk>
In-Reply-To: <0799B139-E353-4EC7-9340-87CE00C465AA@noware.co.uk>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 08 Sep 2020 15:31:32 -0400
Message-ID: <CAHbrMsC=kOYUL_Ei1uSnWJ3hGxu=7c10eRofXJ=w5sQzcbu6mA@mail.gmail.com>
To: Neil Cook <neil.cook@noware.co.uk>
Cc: DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000a04e0605aed2626a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/eA8rue_oyKnkyGU2ZUOAelgXDIk>
Subject: Re: [dns-privacy] Review request: draft-btw-dprive-rfc8484-clarification
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2020 19:31:49 -0000

On Tue, Sep 8, 2020 at 11:33 AM Neil Cook <neil.cook@noware.co.uk> wrote:

>
>
> On 8 Sep 2020, at 15:41, Ben Schwartz <bemasc@google.com> wrote:
>
> Of course there are many questions that the draft makes no attempt to
> answer, including the question of how best to implement redirection.
>
>
> I’m not sure how to take the above statement. The draft explicitly tries
> to answer how to best implement redirection.
>

I was unclear; I was referring to RFC 8484.

...

> The question is: why do you need to redirect the user to a different
> origin?  There's a hint about "redirecting the client to a locally
> administered DoH server", but I wasn't able to understand the motivation.
> What is the system architecture you are trying to enable, and why?
>
>
> One of the original motivations was to enable redirection from a central
> DoH server to a DoH forwarder running on e.g. a home router (in this case
> managed and provided by the operator of the central DoH server). Thus you
> might start off talking to “https://example.com/whatever” and you would
> be redirected to “https://cpe1234.example.com/whatever”. That’s why this
> draft was in the ADD WG before dprive.
>

That's an interesting use case, and I think it deserves more exposition.
To me, it raises questions like
* How did the client get configured to use the specified URI template in
the first place?
* Why should the client use the CPE resolver instead of the central
resolver, if they are administered by the same entity?
* How does the server know which CPE to redirect the client to?
* What are the trust properties of a certificate stored on the CPE?
* Could you use IP certificates to avoid the bootstrap problem?

There are numerous potential ways to enable encryption between the client
and CPE; it's not at all obvious to me that the right solution is to
integrate with DoH in this way.

> On Tue, Sep 8, 2020 at 7:43 AM Neil Cook <neil.cook=
> 40noware.co.uk@dmarc.ietf.org> wrote:
>
>> Do you think that  RFC8484 provides enough information for DNS client and
>> servers to implement redirection in an interoperable way?
>
>
> Yes, insofar as it "might" work, which is all that can be said, since
> redirection itself is optional.
>
>
> It “might" work isn’t enough to develop clients and servers that
> interoperate.
>

Sure.  To be precise, RFC 8484 imposes enough requirements on clients that
a server can implement redirection in a way that works for at least some
use cases, for all RFC8484 clients that also support redirection.

...

> If so do you have any other proposals for how it could be done?
>>
>
> Servers can redirect any query except those needed to follow the redirect.
>
>
> I’m not sure if that could be easily implementable in a DNS server (the
> redirect might lead to a long chain of CNAMEs for example, and the server
> would need to maintain state across queries), but I’d be interested to see
> if it could be. If so, it would certainly be a more attractive approach.
>

You could also use static analysis to avoid keeping state across
queries, if the destination domain is cooperating (as in your example
above).  That said, this is all much simpler and more performant if the
goal is only to redirect some small category of queries, as opposed to
redirecting everything.  That goes back to the question of use cases.

v2.23.0 | Report a Bug | By Email