IETF Logo Mail Archive

Re: [dns-privacy] Review request: draft-btw-dprive-rfc8484-clarification

Ben Schwartz <bemasc@google.com> Tue, 08 September 2020 14:41 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6BF13A0DC8 for <dns-privacy@ietfa.amsl.com>; Tue, 8 Sep 2020 07:41:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3wiBdQ1fhyj for <dns-privacy@ietfa.amsl.com>; Tue, 8 Sep 2020 07:41:16 -0700 (PDT)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAA723A11F6 for <dns-privacy@ietf.org>; Tue, 8 Sep 2020 07:41:16 -0700 (PDT)
Received: by mail-il1-x129.google.com with SMTP id l4so15626968ilq.2 for <dns-privacy@ietf.org>; Tue, 08 Sep 2020 07:41:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FrO2pyk7n+9wlAvN8jCR7FcuXvOvJOcoCmbTkVxRcXg=; b=RHGykAjZVn/eOaaWODIJsKf/MqTGwyMjpF2vwgzIoMzvwkUlSrcP3A/7ZdylRnvjwf BXTNBf04A68Y4YD7WHMuCqstyBZRwgzu8n/Vs9SHqr9i8kUDQ5xsDKE5TCqY02I5vZZq OxEmdKeo6yZSR8xXpljB9dJsh6S2pC8HZy5yNihwlpvYEOSkWxvhXR1P5LnycxYv/FG3 D9PNTcDVnYkSkUNWV7vdvRjF8sqUyVRo0FboPQhTNdoemqDbV7c9K0w8NRY8d0QG464Z MJfrI2dKGnNXaPpF8j1p9LZ5T4L5NzL0ngI9UHXCUS4+q6s9SvnTz/wVc6N/ZdkgCpaG ZmwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FrO2pyk7n+9wlAvN8jCR7FcuXvOvJOcoCmbTkVxRcXg=; b=bJj5IlLvdRSDMYzpAzBZdUNgupcnCj7NTENV5kw66rMiK9D8ZtEV8f0285qx3EJsFy QHjqhIEzvrYFaSelRa4UuTbvlklm3C/WVMpkA4Cb3XVWqD4+/tv+BYFE1jrQDBMxDDp/ Ey9/yJ+D3/9nWpusZ2HxEc7+4CW/381zm9ZsUxH0kqZJOrNxOlYR4p73vnEm+Xf43+oi XoJalhRAeuK1Aw1SMWS9eNjeeVEQfjzP0qzdkFARV70/ap3dbzQSvOu9920bdh+TfyB/ /PZLWODR2ncJ1FFYFBhZg/nJDEohpAgceLOicLvKoXvjLxNzQO4jSvZ/ZpzRg32YOwZm cK2Q==
X-Gm-Message-State: AOAM530Cy2bm/IGaRGueHfUP6KfGtmIpQ3CFJXhObzA6Hv3IAC0oHKVi TolJFpIhbmmf/sCNu7XSn6HKMVc8UTQRgGD0y9clM09bzKKRdQ==
X-Google-Smtp-Source: ABdhPJwqTYtyNTnSlRfhEb5FAwjaPP3aQTa+DffBaNZdSUq3fvkznfmQ74plUn7F4aznkuWs6Kd8pIfkKcYBUPx8c8k=
X-Received: by 2002:a92:7c03:: with SMTP id x3mr3773244ilc.241.1599576075054; Tue, 08 Sep 2020 07:41:15 -0700 (PDT)
MIME-Version: 1.0
References: <6e071da2-4281-d525-03ba-4d6dfc843a76@innovationslab.net> <CAHbrMsB7T+5Y=2n4LfcXwyAZQSnK4x72R44_2mCDsLhh_zD9Vw@mail.gmail.com> <8C6ABDA8-9A0E-44BB-AE23-43F97AF29730@noware.co.uk>
In-Reply-To: <8C6ABDA8-9A0E-44BB-AE23-43F97AF29730@noware.co.uk>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 08 Sep 2020 10:41:03 -0400
Message-ID: <CAHbrMsD2y0o+uV9eiAb32_=6ZYwAUoS_zM5+T97SxnHzxB05bQ@mail.gmail.com>
To: Neil Cook <neil.cook@noware.co.uk>
Cc: DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000cd47b605aece53e6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/jWDqXS_Dwpt0-7wc73soxD8h1fo>
Subject: Re: [dns-privacy] Review request: draft-btw-dprive-rfc8484-clarification
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2020 14:41:21 -0000

On Tue, Sep 8, 2020 at 7:26 AM Neil Cook <neil.cook@noware.co.uk> wrote:

> Thanks for reviewing! Some responses inline,
>
> Neil
>
> On 28 Aug 2020, at 15:41, Ben Schwartz <bemasc@google.com> wrote:
>
> Some commentary on this draft:
>
> Section 3 proposes that there is an apparent inconsistency within RFC 8484
> regarding redirection and URI permissioning.  I disagree: I find the
> meaning of the text in RFC 8484 quite clear and consistent on this point.
> To the extent that some aspects of client and server behavior are not
> specified, this is largely deliberate.  HTTP contains a vast range of
> behaviors that clients and servers might or might not support, including
> following of redirects (which is optional [1]).
>
>
> Well you might find it clear, but before writing the draft the authors
> exchanged emails with the authors of RFC8484 and even they could not
> definitively answer the questions we pose in Section 3.
>

Of course there are many questions that the draft makes no attempt to
answer, including the question of how best to implement redirection.
However, I do not agree that there is an "apparent inconsistency", as the
authors have previously discussed, e.g.
https://mailarchive.ietf.org/arch/msg/doh/cH_kL3tjtOs-y_ZqRe2iQ5_P4TQ/.

>
> On server push, I think this draft contains a misunderstanding.  RFC 8484
> says that clients must not accept and use DNS records that were pushed from
> some arbitrary server that is not the client's configured DoH resolver.
> (That would obviously be unsafe.)  It does not forbid accepting unsolicited
> records that were pushed from the configured DoH server.  (In some
> configurations, unsolicited records of this type would live in a local HTTP
> cache, invisible to the DNS client layer until a matching query is issued.)
>
>
> That might be your understanding. It is not universal, hence the need for
> the clarification.
>

I'm referring to the line "[RFC8484] does not ... clarify that unsolicited
messages from a configured DoH server should be excluded".  This seems
backwards: the requirement does not exist, so there is nothing to clarify.
In fact, such a requirement would be unimplementable in the cache
architecture that RFC 8484 describes.

...

> I would encourage the authors to avoid assumptions about specific RR
> types, and also to explain why CNAME or Alt-Svc is not sufficient for
> server changes.
>
>
> The document goes into detail about why Alt-Svc is not sufficient - the
> first part of Section 5 as well as Appendix A.
>

This explanation only goes one step, by noting that Alt-Svc requires the
destination to be authoritative for the origin.  The question is: why do
you need to redirect the user to a different origin?  There's a hint about
"redirecting the client to a locally administered DoH server", but I wasn't
able to understand the motivation.  What is the system architecture you are
trying to enable, and why?

>
> This proposal seems to assume that there is only one DoH service on the
> domain that is hosting this JSON file.  This is not required by RFC 8484,
> and is already false for some major deployments (e.g. NextDNS).
>
>
> I’m not sure what you mean by this.
>

DoH URIs are full URIs, not merely domain names, so there can be an
unlimited number of DoH servers on a single domain, at different paths,
with different behaviors.  An example of an existing domain with this
behavior is dns.nextdns.io, which has one such DoH path for every user.
The proposed .well-known structure does not appear to support this
configuration: it would collapse all these disparate paths onto a single
destination template.

> The 3XX proposal (Section 7) sends DNS records in the body of a 3XX
> response.  This is interesting but definitely unusual: "The server's
> response payload usually contains a short hypertext note with a hyperlink
> to the new URI(s)." [2].  Also, since following redirects is optional, a
> server using this mechanism would risk losing any non-redirect-following
> clients.  That's acceptable if the query would otherwise have to fail, but
> needs to be mentioned in the draft.
>
>
> Surely any DoH server returning a 3XX would risk losing any
> non-redirect-following clients already, regardless of this draft?
>

Yes, but the draft is encouraging servers to do this, so it needs a warning
label.

On Tue, Sep 8, 2020 at 7:43 AM Neil Cook <neil.cook=
40noware.co.uk@dmarc.ietf.org> wrote:

> Do you think that  RFC8484 provides enough information for DNS client and
> servers to implement redirection in an interoperable way?


Yes, insofar as it "might" work, which is all that can be said, since
redirection itself is optional.

Is redirection necessary?


I'm not aware of an important use case for redirection.


> If so do you have any other proposals for how it could be done?
>

Servers can redirect any query except those needed to follow the redirect.

...

> I understand the concern about encoding RRs; the glue records could be
> encoded as per a regular DNS response for example. However given that these
> are glue-style RRs, why would they need to extend beyond A and AAAA? This
> isn’t a general purpose proposal for encoding DNS records in JSON.
>

As I noted, your proposal already breaks client-side DNSSEC validation, and
would prevent use of the new HTTPS RR.  The set of "glue-style" RRs that
might be needed here is evolving, and may continue to evolve.

v2.23.0 | Report a Bug | By Email