Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-wireformat-http-03.txt

Ben Schwartz <bemasc@google.com> Fri, 06 July 2018 14:53 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF931130EEA for <dnsop@ietfa.amsl.com>; Fri, 6 Jul 2018 07:53:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.509
X-Spam-Level:
X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sDDloHFEGG5L for <dnsop@ietfa.amsl.com>; Fri, 6 Jul 2018 07:53:40 -0700 (PDT)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E946130EBA for <dnsop@ietf.org>; Fri, 6 Jul 2018 07:53:40 -0700 (PDT)
Received: by mail-it0-x22e.google.com with SMTP id 16-v6so16841512itl.5 for <dnsop@ietf.org>; Fri, 06 Jul 2018 07:53:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z5MwTxZ9HRQ/+/PyXccp4QO6PQFtXeMhrJ9mRitZ7iM=; b=dwAsw3sPhI+LoKXOle0bOscfYDBDTpaiiWu0ob5qqNaHRLdzA8bqNdaAS67MiRW+a5 a69Ax9+9KtWbuZUkehdFn+sYJ5S2Cip36592pB71euxqiTRb2gwfuc34+kf3eaixnkNR oPkLeZercF49XJvWY+5cuhNbVLPj5NH7BVkbXYh6gO4d1IePz+wYgLh5HfKvxlARZqzj YLDCn86Bv3IlVWgzAdmj6+/4dbmHKKCO2W2FxbiGU+1UDfoFInoxVqvdmpDU7LFgdWJy o6gIPRPUjj4qDJ8S2Gd9TDAah/kUYqPWsmcDgdH93BXPYDvQ8Q167a3Ul3nfoxFCSJfp 6XyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z5MwTxZ9HRQ/+/PyXccp4QO6PQFtXeMhrJ9mRitZ7iM=; b=CZg2kSbZ0CJzNnlTK+Fk0TYLPy1Uclnb37z+XPX3NM2gQ6NeGm+N+sc14BQqPsapEP rHIwyxK8o04UAFCSwkwbHUWWVxXRkkeU1mGdmbiMy79Ht0x9lIZ/DEt2wr2j2eiULCIk gpN6ehxsNre4TQo89eYWldmdAS84lxb3AsKihvikinYmp3lO/lPTOJF3q2tpeYb7TeBE 5YySE1lpJdalDNGTfxVe2dY+G9PBNxvHdWRGAPTB2FRRv5mOSbsgjj0ZhIScqMJe2rFl pJWf6ZEnc/XWlv1DHqle76e2z7q93AL8JrR2YDeWwzQDMJAzWzZutj5+9ZB12sOwPG7m Xfyg==
X-Gm-Message-State: APt69E1tu+LJ4cNmjq0qgDCLx9qI4ho+dVQxpMW9uiYSJv0KaMUfvtrL oXRmE84D4+6KXXUpNzoKBoDjY8Sd3VAId2CPUwgMWw==
X-Google-Smtp-Source: AAOMgpfqvAmEKp5oySWyPZ1jZwjdIVoH2AsZRw4lHpvi9yF9BAwalNiKUT5wWoz0sEig32mIv8kZ2lGoNWYK8WcOwHQ=
X-Received: by 2002:a24:ce81:: with SMTP id v123-v6mr8132447itg.119.1530888819087; Fri, 06 Jul 2018 07:53:39 -0700 (PDT)
MIME-Version: 1.0
References: <153056942905.16408.4051289359722201152@ietfa.amsl.com> <CAHbrMsBbsXiTdRhytjFZ9vGwS_wEFMbobRA42sJ0RduQaBh+rQ@mail.gmail.com> <CA+nkc8B7f=4t6GsfgqBcN007FW7weBUi8Vi4ZaYQ+_X92jaFzw@mail.gmail.com>
In-Reply-To: <CA+nkc8B7f=4t6GsfgqBcN007FW7weBUi8Vi4ZaYQ+_X92jaFzw@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Fri, 6 Jul 2018 10:53:27 -0400
Message-ID: <CAHbrMsALos2TTmEKQRKXZUeUgOvSVM0NO+EagAjUjBbL3=V5Yw@mail.gmail.com>
To: rharolde@umich.edu
Cc: dnsop@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="00000000000049be01057055d4f9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PqnNSMpRoMYzSUOX9B_Y3vqSFCs>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-wireformat-http-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2018 14:53:44 -0000

On Fri, Jul 6, 2018 at 9:06 AM Bob Harold <rharolde@umich.edu> wrote:

>
> On Tue, Jul 3, 2018 at 12:36 PM Ben Schwartz <bemasc=
> 40google.com@dmarc.ietf.org> wrote:
>
>> Thanks for improving the clarity of this draft.
>>
>> Could you provide an example of a use case where the baseline DOH
>> behavior is not sufficient, to motivate the "proto" parameter?  The text
>> mentions a "transparency principle" as motivation, but I don't understand
>> the significance of this principle.
>>
>> In particular, I think the draft should explain why it's not sufficient
>> to apply truncation when the proxy packages an HTTP DOH response into a DNS
>> response over UDP.
>>
>>
> As I understand it, there are cases where TCP is handled differently than
> UDP.  TCP has a session and is less susceptible to source address
> spoofing,  so things like "ANY" responses, or longer answers, might be
> handled differently.
>

OK.  Obviously we know that they are handled differently insofar as the
response over UDP will be truncated.  Is there another difference?  I'm
trying to understand what behavior the DOH proxy can't replicate by
performing truncation itself, and whether that behavior is of importance to
anyone.

I'd forgotten about the "Refuse ANY" draft, which does indeed offer the
option of having different behaviors over UDP and TCP.  Maybe someone who's
familiar with that draft could comment on whether they think it's valuable
to enable access to the "UDP version" of the ANY response.


> --
> Bob Harold
>
>
> On Mon, Jul 2, 2018 at 6:10 PM <internet-drafts@ietf.org> wrote:
>>
>>>
>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>> directories.
>>> This draft is a work item of the Domain Name System Operations WG of the
>>> IETF.
>>>
>>>         Title           : An Proxy Use Case of DNS over HTTPS
>>>         Authors         : Linjian Song
>>>                           Paul Vixie
>>>                           Shane Kerr
>>>         Filename        : draft-ietf-dnsop-dns-wireformat-http-03.txt
>>>         Pages           : 6
>>>         Date            : 2018-07-02
>>>
>>> Abstract:
>>>    This memo introduces a DNS proxy use case to tunnel DNS query and
>>>    response using DNS over HTTPs (DOH) protocol, a newly proposed DNS
>>>    transport.  The proxy use case is useful as a incremental adoption
>>>    tool when DOH is not widely available in old-transport client and
>>>    server.
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-wireformat-http/
>>>
>>> There are also htmlized versions available at:
>>> https://tools.ietf.org/html/draft-ietf-dnsop-dns-wireformat-http-03
>>>
>>> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-wireformat-http-03
>>>
>>> A diff from the previous version is available at:
>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-dns-wireformat-http-03
>>>
>>