Re: [Doh] DoH client-server interoperability vs. strict HTTP parameter checking

Patrick McManus <mcmanus@ducksong.com> Sat, 01 June 2019 21:22 UTC

Return-Path: <mcmanus@ducksong.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07BDC120118 for <doh@ietfa.amsl.com>; Sat, 1 Jun 2019 14:22:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=AmaEUmYn; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=tZetCP17
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IC9Bq8tVMMNl for <doh@ietfa.amsl.com>; Sat, 1 Jun 2019 14:22:30 -0700 (PDT)
Received: from outbound1b.ore.mailhop.org (outbound1b.ore.mailhop.org [54.200.247.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 405B81200B1 for <doh@ietf.org>; Sat, 1 Jun 2019 14:22:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559424146; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=WEARzqC/ZHUkjfIHKeEYOcg3B2gq/ulCJoYG6W94r7ggqi19WEgi/8OVkbHVyHQDiO0dW7eLngB3V xrye1y/5mmahbwpujR4QCVMCntvwE8Beoan2kR8jvWHKrMB8BtzG3k4h4RxcMp3QlQQXqoQxkY54Sc p7oFyaIIytt148+Kd/QagSpqUIxrrdH2DdJqs0Sf3fIPO6EDlGatf0UaAwWa2I/IjS05nMq578qznA euCpSTTzQ2mTHN1jJbceMNNbR9CyyvWfjVToRU5sGPUMlwO8Zv03ZoILTip2Ewhhn2XhQZgvkzwDMN ZG3Xx4HdQCZ6lpplBIFY47rbS+LTKBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=bFM3UAJZvAlQA5y64/StpmvsZ5/K6cjoKvCelcZiRzE=; b=GVn51HgGVjAc7p2JOI5nO/W5//W7ngoTrWShAGSnvcdHSOCZ0liATn0VW8EiXIv9a9YJk6kF8nliI 97vKMK3RYa67q0wJ7kTxnJpwFFJoEys4Drb7kK4U2uDOtNqyfsk8XDZ46wfVAFe38pgaDQxjm6YSXy ZN/KPegE/94A6NSG7aMIotc+6Y0ckAr5v8AolfojHTfeXihcP4eqcgKkV2Qkd33uA684g+hMArsCRm BvFxufo7I9SjmtwgUJ6gHWDvoR0VzLoOZjZxS8EqKKN7CzIp2yA3bNqllm+egR8ELtdKxP8EdMCoM5 WxT0SekE4e38imFWmBk4PpdYUSbYEwA==
ARC-Authentication-Results: i=1; outbound3.ore.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.167.173; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=bFM3UAJZvAlQA5y64/StpmvsZ5/K6cjoKvCelcZiRzE=; b=AmaEUmYnq0LFywJGOn3s7SILTTWhPcTiOEnCWBSZmcMgy7mfxjuTIOC6/FldaoFKK3dyK21Z8A9Cx 8Q0rlLiP5/6cRo0+UPxvxE8q+AEmtwNvt1B3TfLusbJqZzzO0eV46sV9XPCWc9zDiwptHT1e6ZXAtl Po6kdy+t2YXxDxIo=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=bFM3UAJZvAlQA5y64/StpmvsZ5/K6cjoKvCelcZiRzE=; b=tZetCP17n1rX7qdHWwJmczFTI/CnEwwpqmFhhwIQ9gUQ5ib3SlYKlH+XO3npAyOeZy+liT3UMCLur oMDF+c5unjv/G7HJSzVUZ0TCTfDq93ZGdH0hRt/ByHp/fMoTHnnPH9mSIAskqB8SWZT2WY6AiGNsHK JUYKBHQ6Y/6ZPHo74RfbeRn8H7rO5x57HBmhQSWo3mBTX3xsx032hMu0j4n4oFusYpOHDrwyt3LP/f UMfzwAiPekylWEqumcwzaMtJMW7C3phxlmm5Y6dyYtZZd2S7piZknT7vNi23PXP6aLhRgKN1jxApjQ 96KqqtiZVKD+Mc7g1J00ybqBK7F7lNw==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: 5976a55c-84b3-11e9-990f-673a89bc4518
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.167.173
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-oi1-f173.google.com (unknown [209.85.167.173]) by outbound3.ore.mailhop.org (Halon) with ESMTPSA id 5976a55c-84b3-11e9-990f-673a89bc4518; Sat, 01 Jun 2019 21:22:25 +0000 (UTC)
Received: by mail-oi1-f173.google.com with SMTP id b20so6717183oie.12 for <doh@ietf.org>; Sat, 01 Jun 2019 14:22:24 -0700 (PDT)
X-Gm-Message-State: APjAAAVeTfEpUris78QdvqnxNfgTBjcq0mHVqDO+nulWm7EY2QhmGDQO k6b9uxk/G6qXdFNbZLRdyEWQDKZpJNNDLLQZhM4=
X-Google-Smtp-Source: APXvYqwhHtg0BdxOr5Gs2MS0IN89tWr3P8h3ADHtx4/m/1BX+6mDYcCXsdgQ/gZYBRpkIV4v1cMksgEKZFNN5LnG5qo=
X-Received: by 2002:aca:5c54:: with SMTP id q81mr3072794oib.91.1559424144403; Sat, 01 Jun 2019 14:22:24 -0700 (PDT)
MIME-Version: 1.0
References: <770d0bf0-0a93-4d9a-4cb1-1f1e44c584aa@appliedprivacy.net>
In-Reply-To: <770d0bf0-0a93-4d9a-4cb1-1f1e44c584aa@appliedprivacy.net>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Sat, 1 Jun 2019 17:22:13 -0400
X-Gmail-Original-Message-ID: <CAOdDvNoupseaLaSDGWTN99LHvR50n=7tbwnELAUjQzp+fPR5Ow@mail.gmail.com>
Message-ID: <CAOdDvNoupseaLaSDGWTN99LHvR50n=7tbwnELAUjQzp+fPR5Ow@mail.gmail.com>
To: Christoph <cm@appliedprivacy.net>
Cc: DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002e75c6058a49ba0c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/Lb8fHllfiN9Hw2n1NiZIPHMcFzc>
Subject: Re: [Doh] DoH client-server interoperability vs. strict HTTP parameter checking
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Jun 2019 21:22:33 -0000

Hi.

8484 servers specify their set of doh uris via uri templates.. which
certainly could involve params not in 8484. Such a service would require
those params.

As for whether a server should be liberal in receiving a uri that does not
match it's configured template ... That's a specific instance of a question
perhaps more hotly debated than doh itself..

https://tools.ietf.org/html/draft-iab-protocol-maintenance-03

8484 does not, and really cannot, proscribe the error handling for whether
the rest of the http server fixes the issue

On Sat, Jun 1, 2019, 8:36 AM Christoph <cm@appliedprivacy.net>; wrote:

> Hello,
>
> we run a public DoH service and while running and comparing
> different DoH server implementations in practice we noticed that
> some have a higher error rate than others.
> The error rate was measured by looking at the fraction of each HTTP
> response code.
>
> It turned out that those server implementations with a higher error rate
> just do stricter HTTP parameter checking. Not necessarily the content of
> the parameter but the list of parameters contained in the request.
>
> The result is that some DoH clients are not compatible with some DoH
> servers.
>
> The error condition is caused by DoH clients that have additional HTTP
> parameters in the request that is not specified in section 4.1 of
> RFC8484 in combination with DoH server implementations that enforce the
> absence of any additional parameters.
>
> To increase interoperability we reached out to (some) affected DoH
> client and server vendors but we would also like to hear opinions from
> this WG.
>
> Should DoH servers reject requests with a '400 Bad Request'
> response when the request contains HTTP parameters not defined in RFC8484
> or
> should DoH servers be less strict and simply ignore additional HTTP
> parameters and proceed with processing the relevant HTTP parameters
> required to provide an answer?
>
>
> thanks,
> Christoph
>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>
>