[Doh] Proposal: DNS configuration string
Mateusz Jończyk <mat.jonczyk@o2.pl> Sun, 02 June 2019 09:44 UTC
Return-Path: <mat.jonczyk@o2.pl>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7541C12008F for <doh@ietfa.amsl.com>; Sun, 2 Jun 2019 02:44:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=o2.pl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bHI4koJLlxva for <doh@ietfa.amsl.com>; Sun, 2 Jun 2019 02:44:38 -0700 (PDT)
Received: from mx-out.tlen.pl (mx-out.tlen.pl [193.222.135.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB9CC120025 for <doh@ietf.org>; Sun, 2 Jun 2019 02:44:37 -0700 (PDT)
Received: (wp-smtpd smtp.tlen.pl 20152 invoked from network); 2 Jun 2019 11:44:34 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=o2.pl; s=1024a; t=1559468674; bh=W31E0YJ30twuFpZPJuaChrqmMoL5FrRLBkMbtxT7270=; h=From:Subject:To; b=chiz7fUeD7eqbPLTqJg2YIXAHnDLkw8QrzZjZ1VVkM/fmZcipXB0ef7UVa9sv0Uu0 UhwFW2053r4PFlSg45+EUYEsuVVr7a3FPceWLwKAoNoBhBkLrOQdshgDVVnbGvWmws Gy2zcznUPMKv0yGfw37YyaO0MzSAhwase26XKl5k=
Received: from aclk15.neoplus.adsl.tpnet.pl (HELO [192.168.1.22]) (mat.jonczyk@o2.pl@[83.10.112.15]) (envelope-sender <mat.jonczyk@o2.pl>) by smtp.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP for <doh@ietf.org>; 2 Jun 2019 11:44:34 +0200
From: Mateusz Jończyk <mat.jonczyk@o2.pl>
To: DoH WG <doh@ietf.org>
Openpgp: preference=signencrypt
Autocrypt: addr=mat.jonczyk@o2.pl; prefer-encrypt=mutual; keydata= xsFNBFqMDyQBEAC2VYhOvwXdcGfmMs9amNUFjGFgLixeS2C1uYwaC3tYqjgDQNo/qDoPh52f ExoTMJRqx48qvvY/i6iwia7wOTBxbYCBDqGYxDudjtL41ko8AmbGOSkxJww5X/2ZAtFjUJxO QjNESFlRscMfDv5vcCvtH7PaJJob4TBZvKxdL4VCDCgEsmOadTy5hvwv0rjNjohau1y4XfxU DdvOcl6LpWMEezsHGc/PbSHNAKtVht4BZYg66kSEAhs2rOTN6pnWJVd7ErauehrET2xo2JbO 4lAv0nbXmCpPj37ZvURswCeP8PcHoA1QQKWsCnHU2WeVw+XcvR/hmFMI2QnE6V/ObHAb9bzg jxSYVZRAWVsdNakfT7xhkaeHjEQMVRQYBL6bqrJMFFXyh9YDj+MALjyb5hDG3mUcB4Wg7yln DRrda+1EVObfszfBWm2pC9Vz1QUQ4CD88FcmrlC7n2witke3gr38xmiYBzDqi1hRmrSj2WnS RP/s9t+C8M8SweQ2WuoVBLWUvcULYMzwy6mte0aSA8XV6+02a3VuBjP/6Y8yZUd0aZfAHyPi Rf60WVjYNRSeg27lZ9DJmHjSfZNn1FrtZi3W9Ff6bry/SY9D136qXBQxPYxXQfaGDhVeLUVF Q+NIZ6NEjqrLQ07LEvUW2Qzk2q851/IaXZPtP6swx0gqrpjNrwARAQABzSRNYXRldXN6IEpv xYRjenlrIDxtYXQuam9uY3p5a0BvMi5wbD7CwX4EEwECACgFAlqMDyQCGwMFCRLMAwAGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPvWWrhhCv7Gb0MQAJVIpJ1KAOH6WaT8e65xZulI 1jkwGwNp+3bWWc5eLjKUnXtOYpa9oIsUUAqvh/L8MofGtM1V11kSX9dEloyqlqDyNSQk0h52 hZxMsCQyzjGOcBAi0zmWGYB4xu6SXj4LpVpIPW0sogduEOfbC0i7uAIyotHgepQ8RPGmZoXU 9bzFCyqZ8kAqwOoCCx+ccnXtbnlAXQmDb88cIprAU+Elk4k4t7Bpjn2ek4fv35PsvsBdRTq3 ADg8sGuq4KQXhbY53n1tyiab3M88uv6Cv//Ncgx+AqMdXq2AJ7amFsYdvkTC98sx20qk6Cul oHggmCre4MBcDD4S0qDXo5Z9NxVR/e9yUHxGLc5BlNj+FJPO7zwvkmIaMMnMlbydWVke0FSR AzJaEV/NNZKYctw2wYThdXPiz/y7aKd6/sM1jgPlleQhs3tZAIdjPfFjGdeeggv668M7GmKl +SEzpeFQ4b0x64XfLfLXX8GP/ArTuxEfJX4L05/Y9w9AJwXCVEwW4q17v8gNsPyVUVEdIroK cve6cgNNSWoxTaYcATePmkKnrAPqfg+6qFM4TuOWmyzCLQ1YoUZMxH+ddivDQtlKCp6JgGCz c9YCESxVii0vo8TsHdIAjQ/px9KsuYBmOlKnHXKbj6BsE/pkMMKQg/L415dvKzhLm2qVih7I U16IAtK5b7RpzsFNBFqMDyQBEACclVvbzpor4XfU6WLUofqnO3QSTwDuNyoNQaE4GJKEXA+p Bw5/D2ruHhj1Bgs6Qx7G4XL3odzO1xT3Iz6w26ZrxH69hYjeTdT8VW4EoYFvliUvgye2cC01 ltYrMYV1IBXwJqSEAImU0Xb+AItAnHA1NNUUb9wKHvOLrW4Y7Ntoy1tp7Vww2ecAWEIYjcO6 AMoUX8Q6gfVPxVEQv1EpspSwww+x/VlDGEiiYO4Ewm4MMSP4bmxsTmPb/f/K3rv830ZCQ5Ds U0rzUMG2CkyF45qXVWZ974NqZIeVCTE+liCTU7ARX1bN8VlU/yRs/nP2ISO0OAAMBKea7slr mu93to9gXNt3LEt+5aVIQdwEwPcqR09vGvTWdRaEQPqgkOJFyiZ0vYAUTwtITyjYxZWJbKJh JFaHpMds9kZLF9bH45SGb64uZrrE2eXTyI3DSeUS1YvMlJwKGumRTPXIzmVQ5PHiGXr2/9S4 16W9lBDJeHhmcVOsn+04x5KIxHtqAP3mkMjDBYa0A3ksqD84qUBNuEKkZKgibBbs4qT35oXf kgWJtW+JziZf6LYx4WvRa80VDIIYCcQM6TrpsXIJI+su5qpzON1XJQG2iswY8PJ40pkRI9Sm kfTFrHOgiTpwZnI9saWqJh2ABavtnKZ1CtAY2VA8gmEqQeqs2hjdiNHAmRxR2wARAQABwsFl BBgBAgAPBQJajA8kAhsMBQkSzAMAAAoJEPvWWrhhCv7GhpYP/1tH/Kc35OgWu2lsgJxR9Z49 4q+yYAuu11p0aQidL5utMFiemYHvxh/sJ4vMq65uPQXoQ3vo8lu9YR/p8kEt8jbljJusw6xQ iKA1Cc68xtseiKcUrjmN/rk3csbT+Qj2rZwkgod8v9GlKo6BJXMcKGbHb1GJtLF5HyI1q4j/ zfeu7G1gVjGTx8e2OLyuBJp0HlFXWs2vWSMesmZQIBVNyyL9mmDLEwO4ULK2quF6RYtbvg+2 PMyomNAaQB4s1UbXAO87s75hM79iszIzak2am4dEjTx+uYCWpvcw3rRDz7aMs401CphrlMKr WndS5qYcdiS9fvAfu/Jp5KIawpM0tVrojnKWCKHG4UnJIn+RF26+E7bjzE/Q5/NpkMblKD/Y 6LHzJWsnLnL1o7MUARU++ztOl2Upofyuj7BSath0N632+XCTXk9m5yeDCl/UzPbP9brIChuw gF7DbkdscM7fkYzkUVRJM45rKOupy5Z03EtAzuT5Z/If3qJPU0txAJsquDohppFsGHrzn/X2 0nI2LedLnIMUWwLRT4EvdYzsbP6im/7FXps15jaBOreobCaWTWtKtwD2LNI0l9LU9/RF+4Ac gwYu1CerMmdFbSo8ZdnaXlbEHinySUPqKmLHmPgDfxKNhfRDm1jJcGATkHCP80Fww8Ihl8aS TANkZ3QqXNX2
Message-ID: <b38f0ad7-ede0-4eaa-07e8-76dbb8668bd3@o2.pl>
Date: Sun, 02 Jun 2019 11:44:17 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="1qaF0aRMHAYucF3RoRU1IFyYROOLjt3Ec"
X-WP-MailID: 52f7863bff9f8f97ea2172b89e2b79a2
X-WP-AV: skaner antywirusowy Poczty o2
X-WP-SPAM: NO 0000001 [AUIU]
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/RWfCnTa2FjrcxAHj3U5IFbsxBQM>
Subject: [Doh] Proposal: DNS configuration string
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Jun 2019 09:44:41 -0000
Hello,
Currently, there are multiple ways of resolving DNS queries:
* old port-53 DNS,
* DNS over TLS,/
* DNS over HTTPS.
Some of these accept additional parameters, such as server certificate
information (which may be necessary when using local DoH / DoT servers). These
parameters are server-specific --- when configuring multiple servers, each of
them may need different certificate information.
I would argue that it would be beneficial to embed all such parameters into a
single server specification string. The user would be able to copy-paste them,
for example from the website of their chosen DNS resolver, a file provided by
their sysadmin or from their router configuration GUI. A DHCP server could
advertise the string in a single field. Additionally, an application could pass
the whole string to a DNS-handling library. That way the application would not
have to implement support for all DNS configuration parameters on its own (with
complex GUIs) and new parameters (or even new DNS resolver types) could be
supported by the program after a library upgrade. This would also simplify
configuration file structure (allowing for a single server per line).
Some examples [3]:
* *doh://dnsserver.example.net/dns-query{?dns};***ip=1.2.3.4*;root-***cert=***zdYsea0CQufOmBpLdLfu/q3tOOdxbBCuZNhAa+YuQWo*
* *dns://1.2.3.4;valid-for=_nodot,.some-company*
I would like to propose to use a semicolon ';' as the separator between a
resolver address (or an URI template) and resolver parameters. Theoretically, a
DoH URI Template could contain a semicolon, but that should be very rare [1]. In
such cases, the semicolon would be percent-encoded as "%3B".
Parameter explanation:
* *ip* - IP of the DoH resolver, used for bootstrapping,
* *root-cert* - fingerprint of the root certificate of the DoH server
(specified in a similar way as in HTTP certificate pinning),
* *valid-for *- which domain names should be resolved by this server: in this
example all names that do not contain a dot ("*_nodot*") [4] as well as all
domains that end with "*.some-company*".
What do You think?
Greetings,
Mateusz
[1] A URI segment that begins with a semicolon is called a *path parameter*. An
example (taken from [2]) would be:
*http://www.mysite.com/admin/UpdateUserServlet;jsessionid=OI24B9ASD7BSSD*
The URI template specification (RFC6570) supports expansion of path parameters
with a syntax like:
*http://example.com/**{;who}*
[2] https://doriantaylor.com/policy/http-url-path-parameter-syntax
[3] The DoH specification requires that:
"This protocol MUST be used with the https scheme URI [RFC7230]."
but I assume that using "doh://" does not break this as the statement is really
concerned with using encryption and not the "https://" string.
[4] The first character is intentionally "_" because it cannot exist in valid
domain names.
- [Doh] Proposal: DNS configuration string Mateusz Jończyk
- Re: [Doh] Proposal: DNS configuration string Mark Nottingham
- [Doh] Proposal: DNS configuration string Mateusz Jończyk
- Re: [Doh] Proposal: DNS configuration string Mark Nottingham