Re: [Doh] WG Review: DNS Over HTTPS (doh)

[Mark Nottingham <mnot@mnot.net>]

Hi Ted,

Sorry, threading is a bit confusing below (thanks, GMail).

> On 19 Sep 2017, at 3:20 am, Ted Hardie <ted.ietf@gmail.com> wrote:
> 
> On Sat, Sep 16, 2017 at 8:00 PM, Mark Nottingham <mnot@mnot.net> wrote:
> 
> > So, I don't that this is established.  One mental model for this work is that DNS, having started with UDP and TCP as transports, has now added a set of additional secure transports.  Two of those were defined in DPRIV; this defines another.  From that perspective, any time an application requires a DNS name to be resolved, the relevant local code would try the set of secure transports until it got an answer.  The application may not know which is used and does not specify it; it is simply getting the DNS answer back that allows it to proceed.
> 
> Every time people start talking in this manner and referring to HTTP as a "transport", I get flashbacks to WS-* and what a glorious failure that was.
> 
> 
> If it helps, I am happy to say "facilitating protocol".  The mental model question for the charter is really:
> 
> Does this add a new tool for DNS systems attempting resolution to use when previous efforts are blocked?  So any DNS resolution might use it, whether from a browser, an app, or system call, but that those would not *specify* it be used?

That sounds like an implementation choice, not a protocol decision. What in the protocol could constrain that?


> Does this add a method for Web application to directly resolve DNS resource records

Well, once it's available over HTTP, that's certainly possible. A quick search for "DNS lookup online" shows many people doing that already, albeit with different formats.


> using a resolver self-identified in the Javascript? So DNS resolutions are instantiated and consumed by Javascript without any intermediation by the local DNS resolver or the browser's DNS rules?

What does "a resolver self-identified in the Javascript" mean, exactly?

Are you supposing some sort of rendezvous system where I can "install" a DOH resolver from one origin and have it affect requests sent to another?

Doing so isn't possible on the current Web, so enabling it would require some fairly heavy lifting at the W3C and/or WHATWG (which on the face of it, they're not likely to think is sane). I can only hope that defining such a thing is out of scope for this WG, as we truly don't have the expertise here.


> Does this charter aim for the working group to do both?
> 
> As currently written, I see the charter describing 1.  There has been an argument that it also do 2 or that 2 becomes possible when 1 is specified and is thus automatically part of the scope.  If that is the case, I believe the charter needs a re-write to describe it.  

See above.

>  
> > The name of the group (DNS over HTTP), the justification at the beginning of the charter:
> >
> > This will enable the domain name system to function over certain paths where existing DNS methods (UDP, TLS, and DTLS) experience problems. This will enable the domain name system to function over certain paths where existing DNS methods (UDP, TLS, and DTLS)
> > experience problems.
> >
> > and Paul's input draft all point to that interpretation.  Note especially that Paul's draft provides the UDP wireformat as response.  To me, that strongly hints that the results of this get handed to the same bit of code that would take the UDP wireformat from other transports (like UDP) and do what it would have done with data retreived from any of those.  That behavior makes sense for DNS transported over HTTP, where you are talking to an authoritative server or shared resolver over a new transport.
> 
> I don't disagree that the charter lays out that the goal is to enable the use case of DNS using HTTP semantics -- that's hopefully uncontroversial.
> 
> > That order of operations does not make sense as a new resource type available to web applications, in part because they can't tell from examining the URI whether the resulting *resource* obeys CORS or not.
> 
> It's not clear why that's an important property. Why is it necessary?
> 
> 
> If it goes into a browser or system cache, it is an important property; it may also be important depending on the UI result.  If the JavaScript-internal resolution process feeds other parts of the page, it may even be a problem.

When you say "cache", do you mean HTTP or DNS? I'm afraid I still don't get what you're looking for here.


>  > There are serious attacks here that even DNSSEC won't catch, because a malicious server and cooperating JavaScript app could give correct answers that are non performant (like the search engine instance on the most distant continent).
> 
> Who would be consuming these answers? How is this different from configuring your system to use a malicious DNS resolver (either in an application or the OS)?
> 
> Because the JavaScript you download could pick the resolver.  The OS and browser are largely trusted; the JavaScript is largely not.

OK, this seems to indicate you *do* think that somehow arbitrary JS can take over DNS resolution for the system or browser. What led you to that conclusion?


>  > And, if there really was a handoff to the local DNS subsystem for parsing and processing, the JavaScript also wouldn't be able to tell whether the result they get from that subsystem is the one that the just retrieved (because a cache entry from some other system may have a different SOA record and be returned as a result instead).  To avoid that, they would have build udp wireformat parsers into the downloadable javascript.
> >
> > I think if you want the second, a way of making DNS resources available to web applications, you need a very different approach; it may be valuable, but I don't believe this charter covers it.  If it is meant to, it needs a major re-write.
> 
> I agree there are significant risks when using DNS. I think the question is what to do about it.
> 
> One thing the WG could do would be to write some Security Considerations about the different ways this could be sub-optimal or even dangerous.
> 
> I don't see how giving the protocol a new URI scheme avoids these risks, given that the defined resources would be available over HTTP still.
> 
> 
> It gives the browser something to look at.  If it rejects udp-wireformat mime types being returned from HTTPS URIs but accepts them from dnsh URIs, it can handle the data differently.
> 
>  I don't know that browsers want to do that, mind you, I'm simple saying that the working group could decide that this was a reasonable facility to consider.  Ruling out ways for the ecosystem to distinguish this from other web resources seems to be the wrong way to go, at least to me.

Again, I don't think this WG should be attempting to allow any sort of automated control of browser or system DNS resolution from the Web (e.g., JS, triggered by arbitrary URI schemes, mime types, whatever); I've seen zero desire from any implementer to allow that, it's fraught with security, privacy and other issues, and has dubious benefit.

The use case that I believe most have in mind is "as a user, I want to configure my [browser, OS] to use *this* DOH service for DNS resolution" -- where that configuration is manual; e.g., a configuration textbox or dropdown in the browser, or a file in /etc. It might be made more user-friendly; e.g., it could be automatic when the user goes into the ill-defined "private mode." 

The current charter allows that. I *think* the issues you're concerned about are in a very different area -- roughly, "automated control of DNS resolution." I'm not sure where you got the sense that this was on the table, but if it will help, write it out of the charter.

Cheers,

--
Mark Nottingham   https://www.mnot.net/