IETF Logo Mail Archive

Re: [Doh] Mirja Kühlewind's No Objection on draft-ietf-doh-dns-over-https-13: (with COMMENT)

"Rene 'Renne' Bartsch, B.Sc. Informatics" <ietf@bartschnet.de> Thu, 16 August 2018 07:33 UTC

Return-Path: <ietf@bartschnet.de>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C937130EF5 for <doh@ietfa.amsl.com>; Thu, 16 Aug 2018 00:33:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=bartschnet.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oqfD314_u6vU for <doh@ietfa.amsl.com>; Thu, 16 Aug 2018 00:33:43 -0700 (PDT)
Received: from mail.core-networks.de (mail.core-networks.de [IPv6:2001:1bc0:d::4:9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D65DE130EED for <doh@ietf.org>; Thu, 16 Aug 2018 00:33:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bartschnet.de; s=2018030201; h=Content-Transfer-Encoding:MIME-Version:Date: Message-ID:From:To:Subject:content-disposition; bh=T/iJGcCWCAjC0DMzUW7JiKN8iTJ9NvqrynTz5YDQZd0=; b=j611HJNM9XB1wuSk9GZTXZY1Dm Ft4l0i3DEwgOiIP2a012wTdFcBeJ8oYomgamx5Cq4hS9WnNoU4wx7XMbuRd1v1qC695AfItNPVBvp zpdRzxta+DW73IBlODXpSD+Aa/DM5ZsQZo/teVeOilCYPJujNftfOg7p2zUfekWzjAoVB3cI8xtFZ 6i/hi8r1nYtm5jNSKqbUQBzpxIfIwJqj1+cyZ5U4ukCUX/gbljOhQHAENqDx5ef+YAXenTflpWdwv 6ueOxQxrALnS0EDyX+1IfiwOippl9WoFygknhREmWoE/SJG+VqeT7fmNSMablrgiizltPLyQ0q5Eq LHtO3NHzk+w8f3qA8ia2eRkHy1EqhNymUdYmIeNZkeFHc5U3xyvrad1HFHPn7K+E5gGrUARHDOnE7 zBRGANTsqpBgQML2leNq86cJKP9x/8Q9hoU9CBMSsV91FuLOU5XQ95I+rocoidkkxYwCBInd0FWBw Chah5Srz75Zv86NwFmIIo79yLu+1uCHODq0Ko9pRlawc0BRuQPHbY8WxKQkWzfRpJ/YCVBD27xsax qqujSs3vu4FmUgxIysUiYDOI1wfevHRCGoSqBIbBr850AYBeFXOytBIEEFeQKUcxMmaf2PXvL9ZKf 0BHY3tvdzdlov25DD9qt2TrtlgvkyRfHyeCIU6wZ4=;
Received: from localhost (localhost [127.0.0.1]) by mail.core-networks.de id 1fqCmq-00018R-70 with ESMTPSA (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) for doh@ietf.org; Thu, 16 Aug 2018 09:33:41 +0200
To: doh@ietf.org
References: <153417233866.25070.3751592720564238859.idtracker@ietfa.amsl.com> <CAOdDvNoqVxETNz4JxgrcZSRZ-Tb2+oQPcOCjjS3gH4z+YHcptQ@mail.gmail.com>
From: "Rene 'Renne' Bartsch, B.Sc. Informatics" <ietf@bartschnet.de>
Message-ID: <a5fc3c08-23e3-7f8c-94af-1cd5a9491d29@bartschnet.de>
Date: Thu, 16 Aug 2018 09:33:39 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAOdDvNoqVxETNz4JxgrcZSRZ-Tb2+oQPcOCjjS3gH4z+YHcptQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/QhmtS55YQUBTgZMz4t53qrv96Ps>
Subject: Re: [Doh] Mirja Kühlewind's No Objection on draft-ietf-doh-dns-over-https-13: (with COMMENT)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2018 07:33:44 -0000


Am 13.08.2018 um 19:06 schrieb Patrick McManus:
> Thanks Mirja.
> 
> On Mon, Aug 13, 2018 at 10:58 AM, Mirja Kühlewind <ietf@kuehlewind.net <mailto:ietf@kuehlewind.net>> wrote:
> 
> 
>     One question:
>     In case DoH doesn't work for some reason, is this supposed to fallback to DNS
>     over TLS? I guess if the selected host name would allow detection of DNS and
>     SNI is used, it wouldn't be too hard to block DoH requests....? Is that a
>     concern?
> 
> 
> DoH doesn't proscribe any particular path to choosing servers and protocols (even for choosing the DoH server) - each protocol has different properties and particular servers might have properties only the configurer can understand (e.g. trust in the service, not just authentication) in the context of the endpoints it knows about. So whether fallback is suitable is something DoH can only really comment on by describing its properties (encrypted and authenticated transport).

I suggest to address downgrade attacks.

> 
> There is no expectation that the same server run DNS service using more than one protocol (i.e. there is no expectation that you use the same host and ratchet down from doh, to dot, to plaintext tcp, to dns.)
> 
>     Also one smallish comment:
>     As already brought up in the TSV-ART review (Thanks Ferando!) I would recommend
>     to further clarify this sentence in section 5.1: "Using the GET method is
>     friendlier to many HTTP cache implementations." What does "friendlier" mean...?
>     Or at least maybe provide a forward reference to sec 6.1
> 
> 
> roughly it means more likely to work for a variety of reasons... I'm not sure delving into those reasons really is helpful to the DoH reader - the important property is that HTTP caching works-well with GET and not-so-well with POST. Is friendly a bad word for that? its commonly used in the http and application space around caching afaict.
> 

I suggest something like "better caching performance".

Renne

v2.23.0 | Report a Bug | By Email