Re: [Doh] Subsection Server Push: unclear wording

Ben Schwartz <bemasc@google.com> Fri, 11 May 2018 14:49 UTC

Return-Path: <bemasc@google.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 175D4127419 for <doh@ietfa.amsl.com>; Fri, 11 May 2018 07:49:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.21
X-Spam-Level:
X-Spam-Status: No, score=-18.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G582dMN3wxak for <doh@ietfa.amsl.com>; Fri, 11 May 2018 07:49:11 -0700 (PDT)
Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB1361200C1 for <doh@ietf.org>; Fri, 11 May 2018 07:49:11 -0700 (PDT)
Received: by mail-it0-x22f.google.com with SMTP id n202-v6so2340384ita.1 for <doh@ietf.org>; Fri, 11 May 2018 07:49:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6ShvWhHijB40CWQLl4m7mvMJkrz56/fOJW/50dEf2RQ=; b=Omtaq+C2M149BQuBSLnU19VAxZh+/G2iOTO6T0XWOBugIPNesIQjNDCmkjcE9JGgzM Vd0Xuj0czPepZ2C9Av6oQD8TzjRJVtf9miKPioiC1SK4MSXEMVyxQsfFBVdVVzrG89tW cNEGeDXecqXWh2fEpTaKR8oBhR0+TajbpuBncLUEB+yIhMTgSgLNUsPWtlld87M2zEGU PnHipjG9TmyMs9er3B2C6P/4fopCdSGfXFs3261gTIuMhXI5rFxUVu2vahwGiNMdih09 /WJReYg+xmFpKfc1wJwVuEGogKhnpbZJCl6LnNUU4MhESRL8CIGg0LBzRBLI+qQ/WBh5 5gqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6ShvWhHijB40CWQLl4m7mvMJkrz56/fOJW/50dEf2RQ=; b=i0Fg3dG+4+osyaEqqzjJ4BC/XhMzVHuDA4bkTsDE+q2jqRzb+RU23nB5e+Uzqj/A3S LGdE8AwK460NQeYm1GQe1kmFNZ71x9XkxcLiH8rUG1ctoD5ls/gW462INWeq5jxcxE4I 6YvJeOEIPNhUzItPKp7PRr5MSKc5+l5wODdTwNsnjZIUcXkvw2Sfr6VXYt2LfKaA8fIr uFcs3223Tix1aUr3/7iY3jwqXADq6V77jw08peAMPoClv6F56gYVRWHe3PaVKz+mxJ3v YCz7Y7nx25j6HrOY2ZQxdB48Dak2g0Yk/VThqGjlYBLxVHdMs/YqrRWFsLZQ9uB6g1VB GWvA==
X-Gm-Message-State: ALKqPweZA3+mByJpyEhUKXPsp+ERNhwfUnxHhs/xccqqGXdmAhSuBEI7 +KbftLjfJ3PYTGkS1IOAKuIdBXP0wG1L/NQJVYV3mQ==
X-Google-Smtp-Source: AB8JxZoesD81fZwahxHcAR/yP2Ez8H/VtrrX2mA8gB8s9dK6GxKCS9+3VMOPucQ9ngr2osFZd0FVOSokgNnaH2+e+/g=
X-Received: by 2002:a24:5091:: with SMTP id m139-v6mr3549713itb.50.1526050150584; Fri, 11 May 2018 07:49:10 -0700 (PDT)
MIME-Version: 1.0
References: <8c412ef6-b92f-2547-d813-643e0e6d83e5@o2.pl>
In-Reply-To: <8c412ef6-b92f-2547-d813-643e0e6d83e5@o2.pl>
From: Ben Schwartz <bemasc@google.com>
Date: Fri, 11 May 2018 10:48:58 -0400
Message-ID: <CAHbrMsDNDssW8wwpfP-37Ccx29c6r0vHFiLVsj=gd+mpkP3pNA@mail.gmail.com>
To: =?UTF-8?Q?Mateusz_Jo=C5=84czyk?= <mat.jonczyk@o2.pl>
Cc: DoH WG <doh@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="0000000000002da787056bef3d45"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/HpFjouxMNaeYqpE29iYSsnIIuAQ>
Subject: Re: [Doh] Subsection Server Push: unclear wording
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 14:49:14 -0000

On Fri, May 11, 2018 at 8:18 AM Mateusz Jończyk <mat.jonczyk@o2.pl> wrote:

> Hello,
> The Server Push subsection now reads so:
>
>         Before using DOH response data for DNS resolution, the client MUST
>         establish that the HTTP request URI may be used for the DOH query.
> For
>         HTTP requests initiated by the DNS API client this is implicit in
> the
>         selection of URI. For HTTP server push ({{RFC7540}} Section 8.2)
> extra
>         care must be taken to ensure that the pushed URI is one that the
> client
>         would have directed the same query to if the client had initiated
> the
>         request.
>
> The first sentence is very misleading. The intention here was supposedly
> that
> the HTTP request URI is trusted by the client, not that it is working.
> This is
> clear by reading the commit that introduced the sentence:
>
> https://github.com/dohwg/draft-ietf-doh-dns-over-https/commit/2a4b0b835358d3c4517ae8a038bc86dcf0df04d2


Perhaps you are interpreting "may be used" to mean "is functional"?  Its
meaning here is "is permitted", i.e. permitted by the client
configuration.  I think that the following sentence makes this clear.


>
> Additionally, I do not understand it fully, but to me it seems that the
> situation described as "the pushed URI is one that the client would have
> directed the same query to if the client had initiated the request." would
> be
> very rare.
>
> Suppose that the client connects to example.com, and example.com tries to
> push a
> DNS resolution for foo.com. It seems (as I get it) that the client could
> only
> use the DNS resolution of foo.com when example.com is configured by the
> client
> as the chosen DNS API server. So, a pushed DNS resolution could only be
> used
> when contacting a HTTP server that at the same time is configured as a DNS
> API,
> which is exceedingly rare.
>
> Therefore, it would probably be better to specify that only a configured
> DNS API
> server may push DNS responses.
>
>
I think that is both the intent and the effect of this text.  The final
sentence operationalizes the notion of configuration in a way that reduces
ambiguity.


>
> On the other hand, it may happen that the DNS API server pushes additional
> responses to a DNS query. For example, when the DNS client requests an AAAA
> record for milk-and-pie.deviantart.com and it happens to be an alias for
> www.deviantart.com, the DNS API server may push a DNS resolution for
> www.deviantart.com. [1]
>
>
> Am I reading the text correctly here?
>
> Greetings,
> Mateusz Jończyk
>
> [1] I have to admit I do not know DNS well enough to know whether such
> server
> push could be beneficial and when.
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>