Re: [Doh] DoH and PAC
Valentin Gosu <valentin.gosu@gmail.com> Tue, 06 September 2022 10:54 UTC
Return-Path: <valentin.gosu@gmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04043C1527A3 for <doh@ietfa.amsl.com>; Tue, 6 Sep 2022 03:54:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ooXKvOuoMZ7N for <doh@ietfa.amsl.com>; Tue, 6 Sep 2022 03:54:38 -0700 (PDT)
Received: from mail-oa1-x31.google.com (mail-oa1-x31.google.com [IPv6:2001:4860:4864:20::31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74E23C15271E for <doh@ietf.org>; Tue, 6 Sep 2022 03:54:38 -0700 (PDT)
Received: by mail-oa1-x31.google.com with SMTP id 586e51a60fabf-11eab59db71so27083545fac.11 for <doh@ietf.org>; Tue, 06 Sep 2022 03:54:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=StfLqKmer2Fpg0elaYtKyZ5+xLovfiBA2E/TFy9VUrQ=; b=TTEm+0KTzA93gLi2wYBtUAeI5rSs7Hm6XK/AxKLcXpIlSmsgM98vf9d7B3xH1zM7wb fwSkUbSuwzhoQvnhWmWCZvbTwMHfjI1Kb0l/2VgAx7l8kgjCA8WbK2a0QTazCZFyyc6h YoKOL39RIZNj2Y7nb5e47yN07kfoZ4sLYunaUgMOpLR7JwjlhShVjybZFAzB1pIn1MSu yIj1pZrCh2/hPSzprHt4wta33dPEVMt7RNrADZkmJGf9hjgsm4BMtG6/uW962+Awvcyd nXgZB21Tp8Gz+qWreXYo5Sfd8o1avEHGINhUppfLETHYNCj/3+7CEGQkSbZth9CXfWFC 1T6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=StfLqKmer2Fpg0elaYtKyZ5+xLovfiBA2E/TFy9VUrQ=; b=whSJsDhrJAdW6ASIxoBOokNuFc43fqQsXfTHUtnQfhu2gZ5cwHLEwNJ1rb6wsxnsn2 Ps0cA6goi877jzP1kq30vpZVkLmy1HMkmXs7r+bTiHe2RMS8xVnanlrqFTaIf4GmcKI8 NGzWuCc6EC2QccGFGO0HFtWjbVQ3wcB1JvXX0p7/S8b7vcDEO1a5Ws5FVfv2Q3XDkLo3 nE8RME1HIOs/qyiFhOFB5CbkTvQ8aZfwLcRlAO647gJmvGsqDHmpH0bEANCGtXt7ag1V a5mW68Ukp+65z3f7SKJDTktjHn1eDNEqLsEyXire/AKdZTftshWMogMXvjm7oMxU7Gaq k2fQ==
X-Gm-Message-State: ACgBeo3TktncpX0GJiltRrCvnTWh9J7ypTJbqRxiOxJeLHKLxLmiYyOE j5bLlL+5SZ6TbzKUZlIQCfpEvcE1C5/OoFFVyxUOf8vu1HU=
X-Google-Smtp-Source: AA6agR5KVehpqJHd/tYuJaYqgiw8bYHca1BY2eLEbTp08GRtDkuNWTSabCvCSZhRb34tW+oGVlYlCaHtVBaOXwvzFhU=
X-Received: by 2002:a05:6808:e90:b0:345:6ee0:9a68 with SMTP id k16-20020a0568080e9000b003456ee09a68mr10341370oil.173.1662461676939; Tue, 06 Sep 2022 03:54:36 -0700 (PDT)
MIME-Version: 1.0
References: <A896A2AB-8E65-4C63-BE6A-B4086E14F51E@apple.com>
In-Reply-To: <A896A2AB-8E65-4C63-BE6A-B4086E14F51E@apple.com>
From: Valentin Gosu <valentin.gosu@gmail.com>
Date: Tue, 06 Sep 2022 12:54:25 +0200
Message-ID: <CACQYfi+hc0PYiPqeQwWb-Wvzq451ttaaejoc2X9Ta06gHVZVDA@mail.gmail.com>
To: Guoye Zhang <guoye_zhang=40apple.com@dmarc.ietf.org>
Cc: ietf-http-wg <ietf-http-wg@w3.org>, doh@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b4f03f05e800057d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/5WYfmTXTi8cNYOnADxSraSC0lx0>
Subject: Re: [Doh] DoH and PAC
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2022 10:54:42 -0000
Hi Guoye, We had the same problem in Firefox, and our solution was the same [1]. Given the way PAC is used I think not using DoH makes sense. We also had a similar deadlock with OCSP [2], where you need to wait for the OCSP check for the DoH server's certificate, but that OCSP check also needs to resolve DNS. Cheers! [1] https://searchfox.org/mozilla-central/rev/3f9dcc016dd96a0336d46f4a19aeabdd796ab9e9/netwerk/base/ProxyAutoConfig.cpp#237-242 [2] https://searchfox.org/mozilla-central/rev/3f9dcc016dd96a0336d46f4a19aeabdd796ab9e9/netwerk/protocol/http/HttpBaseChannel.cpp#488-494 On Mon, 5 Sept 2022 at 20:06, Guoye Zhang <guoye_zhang= 40apple.com@dmarc.ietf.org> wrote: > Hi, > > Recently, we identified an issue that DNS over HTTPS (DoH) and Proxy > Auto-Configuration (PAC) deadlock with each other. > > To briefly introduce what they are: As its name indicates, DoH is DNS > queries over HTTPS; PAC is a JavaScript function where given a URL, it > tells you whether we should go over a proxy or connect directly. > > The problem arises when both DoH and PAC are configured on the system. In > order to fetch an HTTP resource, we first need to consult the PAC script. > The PAC script is usually fetched from an HTTP URL and we are smart enough > not to consult PAC script for itself. However, fetching the script does > require DNS resolution which goes over DoH. DoH creates an HTTP connection > and consults PAC and here is where it deadlocks. Another case is where PAC > scripts can also manually initiate DNS resolution through JavaScript APIs > like `dnsResolve()`. > > DoH depends on PAC and PAC depends on DoH. We have to break the chain > somewhere, and the decision was to never use DoH in PAC: Fetching PAC > script and JavaScript DNS APIs inside PAC always use cleartext DNS. > > Are there any other HTTP client implementations facing the same issue? > What are your solutions? > > Thanks, > Guoye Zhang > _______________________________________________ > Doh mailing list > Doh@ietf.org > https://www.ietf.org/mailman/listinfo/doh >
- [Doh] DoH and PAC Guoye Zhang
- Re: [Doh] DoH and PAC Valentin Gosu
- Re: [Doh] DoH and PAC Guoye Zhang