[Doh] DOH behind caching proxies

manu tman <chantr4@gmail.com> Fri, 19 January 2018 00:15 UTC

Return-Path: <chantr4@gmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5AAB12D84A for <doh@ietfa.amsl.com>; Thu, 18 Jan 2018 16:15:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yyTbaVXBMChW for <doh@ietfa.amsl.com>; Thu, 18 Jan 2018 16:15:12 -0800 (PST)
Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B09AE12D7F7 for <doh@ietf.org>; Thu, 18 Jan 2018 16:15:11 -0800 (PST)
Received: by mail-lf0-x22d.google.com with SMTP id t139so23281lff.0 for <doh@ietf.org>; Thu, 18 Jan 2018 16:15:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=B3Dwm8lsaxerfR2gpzfshJmOobTzaLfrf0f0+ZebB6c=; b=RLC7jqU7rbu1DDPo+URO/4CdBZB+J+FOxfUHg2LEMWJHUp7jtQ9kCgC5/ukqEkREkJ FOH6gcswbU4J2aOaonKJq9es2mNz5E/dCPgITr4zuwXOGlsXnH3RWLB1LfstJYxMQ/8j EvLLsmHeF8u8uT5xqzIaAp7UuISzwvj/1dDAMDl7sCDNKmog3yv+jbp8Mru4KODLGgA6 G6wbrZzw9OyYevfOhxDJr0ThWihA2MTXctOUQfE9w2XHC+pdvurixo8DGrIymcWXFEG3 Rt/w45JT9EZOoPSBpgsNhr/0IdktVXCr7AJThNGCTs7N+puW8v/5uDp6FNAbQsAcyorI k8rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=B3Dwm8lsaxerfR2gpzfshJmOobTzaLfrf0f0+ZebB6c=; b=na/rU5+pz7odWNrT4OJhlRjZZ2TykId6CviAzs7JhGX+JqhWmzA4GyjMZDzFsC7+96 KMCYhl9D1++7F62GbYDsFe0jCMgHRUwqu3bORzLjnztZYdX/j1j5ImcWGcYumI124tIs pnrMxzjBNeGMJGsSqosfG/2EHwhm3ZP5CYJiMzJ6/ZF9Ipco97rp2ddRnk3pzrCyFImZ lgc58JSrTh92LlCN6Rep/legt8cT8eLbYXS4DnGSim0JGRsED4//KrB6yr8dQcM5vSfo uqCID5O3ZjLTijJc7//PoApBw/9xDZdzGe90LQ26Re1us8BOQrsCD3mFOmkgOGDr9qIx oV9w==
X-Gm-Message-State: AKGB3mLq4OCzbp6CqUYtyhpN2PG7CfAYi+jG+WSt/mrv60BBCu2TEDTg 1CHlFprBjiF36/VUQ4zL+tTUNKmQy3+tTo/ZWlZ+7NIj
X-Google-Smtp-Source: ACJfBosMgSOh3/BNotlblAB6vc5SFhKtkdIMrtjTGcPd3caTZEBk23qrPdtWEULvyS7W5sNWoy6iC5jkw5chs0+z/fI=
X-Received: by 10.46.7.79 with SMTP id i15mr27532864ljd.42.1516320909600; Thu, 18 Jan 2018 16:15:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.27.208 with HTTP; Thu, 18 Jan 2018 16:15:08 -0800 (PST)
From: manu tman <chantr4@gmail.com>
Date: Thu, 18 Jan 2018 16:15:08 -0800
Message-ID: <CAArYzrKXNXAFt6LqCu=Qj=5a_huf-VuTo_HWhi8fokELgrazYg@mail.gmail.com>
To: doh@ietf.org
Content-Type: multipart/alternative; boundary="f403045f77502eac71056315f9f0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/DAeqQpiy5vUY_4VKms4GLIAtpuw>
Subject: [Doh] DOH behind caching proxies
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jan 2018 00:15:14 -0000

Hi list,

Should we clarify the behaviour of caching proxies?

When using a proxy in front of DOH servers and doing targeting based on
resolver IP or using ECS, the returned answer for a same query (body param)
may be different depending on the client, but if the caching proxy caches
based on GET parameters, there is chances to return answers that are
supposed to be correct for another client.

In draft-ietf-doh-dns-over-https-02

Section 5:
```Using the GET method

   is friendlier to many HTTP cache implementations.
```
and

```

In order to maximize cache friendliness, DNS API clients using media
   formats that include DNS ID, such as application/dns-udpwireformat,
   SHOULD use a DNS ID of 0 in every DNS request.

```

As much as we may instruct the client to cache the result, if there is
proxies in the middle, those should not cache the answer they received
from backend DOH servers.


Manu