Re: [dns-privacy] Review request: draft-btw-dprive-rfc8484-clarification
Neil Cook <neil.cook@noware.co.uk> Tue, 08 September 2020 11:26 UTC
Return-Path: <neil.cook@noware.co.uk>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFFA53A101E for <dns-privacy@ietfa.amsl.com>; Tue, 8 Sep 2020 04:26:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.305
X-Spam-Level:
X-Spam-Status: No, score=-1.305 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=noware.co.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6KNzwgaXyYze for <dns-privacy@ietfa.amsl.com>; Tue, 8 Sep 2020 04:26:36 -0700 (PDT)
Received: from mail.noware.co.uk (unknown [IPv6:2604:a880:0:1010::add:2001]) by ietfa.amsl.com (Postfix) with ESMTP id B3A673A1010 for <dns-privacy@ietf.org>; Tue, 8 Sep 2020 04:26:36 -0700 (PDT)
Received: from [192.168.1.170] (unknown [109.156.119.142]) by mail.noware.co.uk (Postfix) with ESMTPSA id B65881D8381; Tue, 8 Sep 2020 11:24:01 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.noware.co.uk B65881D8381
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=noware.co.uk; s=default; t=1599564242; bh=wvVOMJQj/eQVwYS7csU+M4JfJNUVH3TgxJSz1hx23M8=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=OW8AnabseX7mXsjLjikjTuiNyPwIlCm/sB5ysseME18/D4sutVxuPr5/eGbEUZxDy sHmyV3jjEXPTzP4TGX6EHLkb/PMn8ZFFCPyJyL/xFcgDc5WpOFNQ1FaVq/kbFhx7UC 4iz1MyGFRcqY03Non5q8BAzyufq/yqdaUqj0u7qM=
From: Neil Cook <neil.cook@noware.co.uk>
Message-Id: <8C6ABDA8-9A0E-44BB-AE23-43F97AF29730@noware.co.uk>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EF56FCE4-94E5-4DCC-9937-2084501DA0A7"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 08 Sep 2020 12:26:32 +0100
In-Reply-To: <CAHbrMsB7T+5Y=2n4LfcXwyAZQSnK4x72R44_2mCDsLhh_zD9Vw@mail.gmail.com>
Cc: DNS Privacy Working Group <dns-privacy@ietf.org>
To: Ben Schwartz <bemasc@google.com>
References: <6e071da2-4281-d525-03ba-4d6dfc843a76@innovationslab.net> <CAHbrMsB7T+5Y=2n4LfcXwyAZQSnK4x72R44_2mCDsLhh_zD9Vw@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-VADE-SPAMSTATE: clean
X-VADE-SPAMSCORE: -100
X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduiedrudehfedgvdefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecupffgkffnvefqqffmnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhkfgtggfuffgjvfhfofesrgdtmherhhdtjeenucfhrhhomheppfgvihhlucevohhokhcuoehnvghilhdrtghoohhksehnohifrghrvgdrtghordhukheqnecuggftrfgrthhtvghrnhepledtteekveegkeffudfftdeffefhtdffgeetiefgjeeivefhieekfedvtefhgfegnecuffhomhgrihhnpehivghtfhdrohhrghenucfkphepuddtledrudehiedrudduledrudegvdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpedutdelrdduheeirdduudelrddugedvpdhhvghloheplgduledvrdduieekrddurddujedtngdpmhgrihhlfhhrohhmpefpvghilhcuvehoohhkuceonhgvihhlrdgtohhokhesnhhofigrrhgvrdgtohdruhhkqedprhgtphhtthhopegsvghmrghstgesghhoohhglhgvrdgtohhmpdhrtghpthhtohepughnshdqphhrihhvrggthiesihgvthhfrdhorhhg
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/siMocrDPtvzyZ8HKQpa-HJs1iYI>
Subject: Re: [dns-privacy] Review request: draft-btw-dprive-rfc8484-clarification
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2020 11:26:39 -0000
Thanks for reviewing! Some responses inline, Neil > On 28 Aug 2020, at 15:41, Ben Schwartz <bemasc@google.com> wrote: > > Some commentary on this draft: > > Section 3 proposes that there is an apparent inconsistency within RFC 8484 regarding redirection and URI permissioning. I disagree: I find the meaning of the text in RFC 8484 quite clear and consistent on this point. To the extent that some aspects of client and server behavior are not specified, this is largely deliberate. HTTP contains a vast range of behaviors that clients and servers might or might not support, including following of redirects (which is optional [1]). Well you might find it clear, but before writing the draft the authors exchanged emails with the authors of RFC8484 and even they could not definitively answer the questions we pose in Section 3. > > On server push, I think this draft contains a misunderstanding. RFC 8484 says that clients must not accept and use DNS records that were pushed from some arbitrary server that is not the client's configured DoH resolver. (That would obviously be unsafe.) It does not forbid accepting unsolicited records that were pushed from the configured DoH server. (In some configurations, unsolicited records of this type would live in a local HTTP cache, invisible to the DNS client layer until a matching query is issued.) > That might be your understanding. It is not universal, hence the need for the clarification. > The draft contains two proposals that seem to be minimally related. I would consider splitting them into two drafts. > That is certainly a possibility. Although personally (and this is questioned in the draft itself), I’m not sure that resource-level redirection makes sense given that every unique DNS query could generate a redirect (with caching implications). > The ".well-known" proposal (Section 6) does what RFC 8484 avoided doing: it proposes an alternative encoding of DNS records in JSON. As a result, it can only represent a subset of DNS information, with standards work required for each extension. For example, as currently specified, it cannot represent DNSSEC signatures or the HTTPS RR type. I would encourage the authors to avoid assumptions about specific RR types, and also to explain why CNAME or Alt-Svc is not sufficient for server changes. The document goes into detail about why Alt-Svc is not sufficient - the first part of Section 5 as well as Appendix A. > > This proposal seems to assume that there is only one DoH service on the domain that is hosting this JSON file. This is not required by RFC 8484, and is already false for some major deployments (e.g. NextDNS). > I’m not sure what you mean by this. > The 3XX proposal (Section 7) sends DNS records in the body of a 3XX response. This is interesting but definitely unusual: "The server's response payload usually contains a short hypertext note with a hyperlink to the new URI(s)." [2]. Also, since following redirects is optional, a server using this mechanism would risk losing any non-redirect-following clients. That's acceptable if the query would otherwise have to fail, but needs to be mentioned in the draft. > Surely any DoH server returning a 3XX would risk losing any non-redirect-following clients already, regardless of this draft? > [1] https://tools.ietf.org/html/rfc7231#section-6.4 <https://tools.ietf.org/html/rfc7231#section-6.4> > [2] https://tools.ietf.org/html/rfc7231#section-6.4.2 <https://tools.ietf.org/html/rfc7231#section-6.4.2> > On Fri, Aug 28, 2020 at 8:52 AM Brian Haberman <brian@innovationslab.net <mailto:brian@innovationslab.net>> wrote: > Hi all, > One of the discussion points during IETF 108 revolved around a > group of DNS-related drafts without a clear place for discussion. The > DNSOP, ADD, and DPRIVE chairs and ADs convened a few weeks ago to try > and sort this out. The upshot of that discussion is that > draft-btw-dprive-rfc8484-clarification should be discussed on the DPRIVE > mailing list. So, this is a request for WG participants to review the > draft and provide feedback on the mailing. > > https://datatracker.ietf.org/doc/draft-btw-dprive-rfc8484-clarification/ <https://datatracker.ietf.org/doc/draft-btw-dprive-rfc8484-clarification/> > > Regards, > Brian > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org <mailto:dns-privacy@ietf.org> > https://www.ietf.org/mailman/listinfo/dns-privacy <https://www.ietf.org/mailman/listinfo/dns-privacy>
- [dns-privacy] Review request: draft-btw-dprive-rf… Brian Haberman
- Re: [dns-privacy] Review request: draft-btw-dpriv… Ben Schwartz
- Re: [dns-privacy] Review request: draft-btw-dpriv… Martin Thomson
- Re: [dns-privacy] Review request: draft-btw-dpriv… Neil Cook
- Re: [dns-privacy] Review request: draft-btw-dpriv… Neil Cook
- Re: [dns-privacy] Review request: draft-btw-dpriv… Ben Schwartz
- Re: [dns-privacy] Review request: draft-btw-dpriv… Neil Cook
- Re: [dns-privacy] Review request: draft-btw-dpriv… Ben Schwartz
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Winfield, Alister
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Ben Schwartz
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Winfield, Alister
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Neil Cook
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Ben Schwartz
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Neil Cook
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Konda, Tirumaleswar Reddy
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Rob Sayre
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Ben Schwartz
- Re: [dns-privacy] [EXTERNAL] Re: Review request: … Konda, Tirumaleswar Reddy