Re: [Doh] DoH client-server interoperability vs. strict HTTP parameter checking
Patrick McManus <mcmanus@ducksong.com> Sat, 01 June 2019 21:22 UTC
Return-Path: <mcmanus@ducksong.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07BDC120118 for <doh@ietfa.amsl.com>; Sat, 1 Jun 2019 14:22:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=AmaEUmYn; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=tZetCP17
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IC9Bq8tVMMNl for <doh@ietfa.amsl.com>; Sat, 1 Jun 2019 14:22:30 -0700 (PDT)
Received: from outbound1b.ore.mailhop.org (outbound1b.ore.mailhop.org [54.200.247.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 405B81200B1 for <doh@ietf.org>; Sat, 1 Jun 2019 14:22:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559424146; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=WEARzqC/ZHUkjfIHKeEYOcg3B2gq/ulCJoYG6W94r7ggqi19WEgi/8OVkbHVyHQDiO0dW7eLngB3V xrye1y/5mmahbwpujR4QCVMCntvwE8Beoan2kR8jvWHKrMB8BtzG3k4h4RxcMp3QlQQXqoQxkY54Sc p7oFyaIIytt148+Kd/QagSpqUIxrrdH2DdJqs0Sf3fIPO6EDlGatf0UaAwWa2I/IjS05nMq578qznA euCpSTTzQ2mTHN1jJbceMNNbR9CyyvWfjVToRU5sGPUMlwO8Zv03ZoILTip2Ewhhn2XhQZgvkzwDMN ZG3Xx4HdQCZ6lpplBIFY47rbS+LTKBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=bFM3UAJZvAlQA5y64/StpmvsZ5/K6cjoKvCelcZiRzE=; b=GVn51HgGVjAc7p2JOI5nO/W5//W7ngoTrWShAGSnvcdHSOCZ0liATn0VW8EiXIv9a9YJk6kF8nliI 97vKMK3RYa67q0wJ7kTxnJpwFFJoEys4Drb7kK4U2uDOtNqyfsk8XDZ46wfVAFe38pgaDQxjm6YSXy ZN/KPegE/94A6NSG7aMIotc+6Y0ckAr5v8AolfojHTfeXihcP4eqcgKkV2Qkd33uA684g+hMArsCRm BvFxufo7I9SjmtwgUJ6gHWDvoR0VzLoOZjZxS8EqKKN7CzIp2yA3bNqllm+egR8ELtdKxP8EdMCoM5 WxT0SekE4e38imFWmBk4PpdYUSbYEwA==
ARC-Authentication-Results: i=1; outbound3.ore.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.167.173; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=bFM3UAJZvAlQA5y64/StpmvsZ5/K6cjoKvCelcZiRzE=; b=AmaEUmYnq0LFywJGOn3s7SILTTWhPcTiOEnCWBSZmcMgy7mfxjuTIOC6/FldaoFKK3dyK21Z8A9Cx 8Q0rlLiP5/6cRo0+UPxvxE8q+AEmtwNvt1B3TfLusbJqZzzO0eV46sV9XPCWc9zDiwptHT1e6ZXAtl Po6kdy+t2YXxDxIo=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=bFM3UAJZvAlQA5y64/StpmvsZ5/K6cjoKvCelcZiRzE=; b=tZetCP17n1rX7qdHWwJmczFTI/CnEwwpqmFhhwIQ9gUQ5ib3SlYKlH+XO3npAyOeZy+liT3UMCLur oMDF+c5unjv/G7HJSzVUZ0TCTfDq93ZGdH0hRt/ByHp/fMoTHnnPH9mSIAskqB8SWZT2WY6AiGNsHK JUYKBHQ6Y/6ZPHo74RfbeRn8H7rO5x57HBmhQSWo3mBTX3xsx032hMu0j4n4oFusYpOHDrwyt3LP/f UMfzwAiPekylWEqumcwzaMtJMW7C3phxlmm5Y6dyYtZZd2S7piZknT7vNi23PXP6aLhRgKN1jxApjQ 96KqqtiZVKD+Mc7g1J00ybqBK7F7lNw==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: 5976a55c-84b3-11e9-990f-673a89bc4518
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.167.173
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-oi1-f173.google.com (unknown [209.85.167.173]) by outbound3.ore.mailhop.org (Halon) with ESMTPSA id 5976a55c-84b3-11e9-990f-673a89bc4518; Sat, 01 Jun 2019 21:22:25 +0000 (UTC)
Received: by mail-oi1-f173.google.com with SMTP id b20so6717183oie.12 for <doh@ietf.org>; Sat, 01 Jun 2019 14:22:24 -0700 (PDT)
X-Gm-Message-State: APjAAAVeTfEpUris78QdvqnxNfgTBjcq0mHVqDO+nulWm7EY2QhmGDQO k6b9uxk/G6qXdFNbZLRdyEWQDKZpJNNDLLQZhM4=
X-Google-Smtp-Source: APXvYqwhHtg0BdxOr5Gs2MS0IN89tWr3P8h3ADHtx4/m/1BX+6mDYcCXsdgQ/gZYBRpkIV4v1cMksgEKZFNN5LnG5qo=
X-Received: by 2002:aca:5c54:: with SMTP id q81mr3072794oib.91.1559424144403; Sat, 01 Jun 2019 14:22:24 -0700 (PDT)
MIME-Version: 1.0
References: <770d0bf0-0a93-4d9a-4cb1-1f1e44c584aa@appliedprivacy.net>
In-Reply-To: <770d0bf0-0a93-4d9a-4cb1-1f1e44c584aa@appliedprivacy.net>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Sat, 01 Jun 2019 17:22:13 -0400
X-Gmail-Original-Message-ID: <CAOdDvNoupseaLaSDGWTN99LHvR50n=7tbwnELAUjQzp+fPR5Ow@mail.gmail.com>
Message-ID: <CAOdDvNoupseaLaSDGWTN99LHvR50n=7tbwnELAUjQzp+fPR5Ow@mail.gmail.com>
To: Christoph <cm@appliedprivacy.net>
Cc: DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002e75c6058a49ba0c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/Lb8fHllfiN9Hw2n1NiZIPHMcFzc>
Subject: Re: [Doh] DoH client-server interoperability vs. strict HTTP parameter checking
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Jun 2019 21:22:33 -0000
Hi. 8484 servers specify their set of doh uris via uri templates.. which certainly could involve params not in 8484. Such a service would require those params. As for whether a server should be liberal in receiving a uri that does not match it's configured template ... That's a specific instance of a question perhaps more hotly debated than doh itself.. https://tools.ietf.org/html/draft-iab-protocol-maintenance-03 8484 does not, and really cannot, proscribe the error handling for whether the rest of the http server fixes the issue On Sat, Jun 1, 2019, 8:36 AM Christoph <cm@appliedprivacy.net> wrote: > Hello, > > we run a public DoH service and while running and comparing > different DoH server implementations in practice we noticed that > some have a higher error rate than others. > The error rate was measured by looking at the fraction of each HTTP > response code. > > It turned out that those server implementations with a higher error rate > just do stricter HTTP parameter checking. Not necessarily the content of > the parameter but the list of parameters contained in the request. > > The result is that some DoH clients are not compatible with some DoH > servers. > > The error condition is caused by DoH clients that have additional HTTP > parameters in the request that is not specified in section 4.1 of > RFC8484 in combination with DoH server implementations that enforce the > absence of any additional parameters. > > To increase interoperability we reached out to (some) affected DoH > client and server vendors but we would also like to hear opinions from > this WG. > > Should DoH servers reject requests with a '400 Bad Request' > response when the request contains HTTP parameters not defined in RFC8484 > or > should DoH servers be less strict and simply ignore additional HTTP > parameters and proceed with processing the relevant HTTP parameters > required to provide an answer? > > > thanks, > Christoph > > _______________________________________________ > Doh mailing list > Doh@ietf.org > https://www.ietf.org/mailman/listinfo/doh > >
- [Doh] DoH client-server interoperability vs. stri… Christoph
- Re: [Doh] [Ext] DoH client-server interoperabilit… Paul Hoffman
- Re: [Doh] [Ext] DoH client-server interoperabilit… Mark Delany
- Re: [Doh] [Ext] DoH client-server interoperabilit… Christoph
- Re: [Doh] DoH client-server interoperability vs. … Patrick McManus
- Re: [Doh] [Ext] DoH client-server interoperabilit… bert hubert
- Re: [Doh] [Ext] DoH client-server interoperabilit… Mark Delany
- Re: [Doh] [Ext] DoH client-server interoperabilit… Joe Abley
- [Doh] signalling client expectations and server c… Jim Reid
- Re: [Doh] signalling client expectations and serv… Mark Delany
- Re: [Doh] DoH client-server interoperability vs. … Vladimír Čunát
- Re: [Doh] DoH client-server interoperability vs. … Joe Abley
- Re: [Doh] DoH client-server interoperability vs. … Patrick McManus