From: =?UTF-8?Q?Mateusz_Jo=c5=84czyk?= <mat.jonczyk@o2.pl>
To: Mark Nottingham <mnot@mnot.net>
Cc: DoH WG <doh@ietf.org>
References: <b38f0ad7-ede0-4eaa-07e8-76dbb8668bd3@o2.pl>
 <41206ECE-4CD8-41A5-AE4B-2EFE0EC00A6A@mnot.net>
Openpgp: preference=signencrypt
Autocrypt: addr=mat.jonczyk@o2.pl; prefer-encrypt=mutual; keydata=
 xsFNBFqMDyQBEAC2VYhOvwXdcGfmMs9amNUFjGFgLixeS2C1uYwaC3tYqjgDQNo/qDoPh52f
 ExoTMJRqx48qvvY/i6iwia7wOTBxbYCBDqGYxDudjtL41ko8AmbGOSkxJww5X/2ZAtFjUJxO
 QjNESFlRscMfDv5vcCvtH7PaJJob4TBZvKxdL4VCDCgEsmOadTy5hvwv0rjNjohau1y4XfxU
 DdvOcl6LpWMEezsHGc/PbSHNAKtVht4BZYg66kSEAhs2rOTN6pnWJVd7ErauehrET2xo2JbO
 4lAv0nbXmCpPj37ZvURswCeP8PcHoA1QQKWsCnHU2WeVw+XcvR/hmFMI2QnE6V/ObHAb9bzg
 jxSYVZRAWVsdNakfT7xhkaeHjEQMVRQYBL6bqrJMFFXyh9YDj+MALjyb5hDG3mUcB4Wg7yln
 DRrda+1EVObfszfBWm2pC9Vz1QUQ4CD88FcmrlC7n2witke3gr38xmiYBzDqi1hRmrSj2WnS
 RP/s9t+C8M8SweQ2WuoVBLWUvcULYMzwy6mte0aSA8XV6+02a3VuBjP/6Y8yZUd0aZfAHyPi
 Rf60WVjYNRSeg27lZ9DJmHjSfZNn1FrtZi3W9Ff6bry/SY9D136qXBQxPYxXQfaGDhVeLUVF
 Q+NIZ6NEjqrLQ07LEvUW2Qzk2q851/IaXZPtP6swx0gqrpjNrwARAQABzSRNYXRldXN6IEpv
 xYRjenlrIDxtYXQuam9uY3p5a0BvMi5wbD7CwX4EEwECACgFAlqMDyQCGwMFCRLMAwAGCwkI
 BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPvWWrhhCv7Gb0MQAJVIpJ1KAOH6WaT8e65xZulI
 1jkwGwNp+3bWWc5eLjKUnXtOYpa9oIsUUAqvh/L8MofGtM1V11kSX9dEloyqlqDyNSQk0h52
 hZxMsCQyzjGOcBAi0zmWGYB4xu6SXj4LpVpIPW0sogduEOfbC0i7uAIyotHgepQ8RPGmZoXU
 9bzFCyqZ8kAqwOoCCx+ccnXtbnlAXQmDb88cIprAU+Elk4k4t7Bpjn2ek4fv35PsvsBdRTq3
 ADg8sGuq4KQXhbY53n1tyiab3M88uv6Cv//Ncgx+AqMdXq2AJ7amFsYdvkTC98sx20qk6Cul
 oHggmCre4MBcDD4S0qDXo5Z9NxVR/e9yUHxGLc5BlNj+FJPO7zwvkmIaMMnMlbydWVke0FSR
 AzJaEV/NNZKYctw2wYThdXPiz/y7aKd6/sM1jgPlleQhs3tZAIdjPfFjGdeeggv668M7GmKl
 +SEzpeFQ4b0x64XfLfLXX8GP/ArTuxEfJX4L05/Y9w9AJwXCVEwW4q17v8gNsPyVUVEdIroK
 cve6cgNNSWoxTaYcATePmkKnrAPqfg+6qFM4TuOWmyzCLQ1YoUZMxH+ddivDQtlKCp6JgGCz
 c9YCESxVii0vo8TsHdIAjQ/px9KsuYBmOlKnHXKbj6BsE/pkMMKQg/L415dvKzhLm2qVih7I
 U16IAtK5b7RpzsFNBFqMDyQBEACclVvbzpor4XfU6WLUofqnO3QSTwDuNyoNQaE4GJKEXA+p
 Bw5/D2ruHhj1Bgs6Qx7G4XL3odzO1xT3Iz6w26ZrxH69hYjeTdT8VW4EoYFvliUvgye2cC01
 ltYrMYV1IBXwJqSEAImU0Xb+AItAnHA1NNUUb9wKHvOLrW4Y7Ntoy1tp7Vww2ecAWEIYjcO6
 AMoUX8Q6gfVPxVEQv1EpspSwww+x/VlDGEiiYO4Ewm4MMSP4bmxsTmPb/f/K3rv830ZCQ5Ds
 U0rzUMG2CkyF45qXVWZ974NqZIeVCTE+liCTU7ARX1bN8VlU/yRs/nP2ISO0OAAMBKea7slr
 mu93to9gXNt3LEt+5aVIQdwEwPcqR09vGvTWdRaEQPqgkOJFyiZ0vYAUTwtITyjYxZWJbKJh
 JFaHpMds9kZLF9bH45SGb64uZrrE2eXTyI3DSeUS1YvMlJwKGumRTPXIzmVQ5PHiGXr2/9S4
 16W9lBDJeHhmcVOsn+04x5KIxHtqAP3mkMjDBYa0A3ksqD84qUBNuEKkZKgibBbs4qT35oXf
 kgWJtW+JziZf6LYx4WvRa80VDIIYCcQM6TrpsXIJI+su5qpzON1XJQG2iswY8PJ40pkRI9Sm
 kfTFrHOgiTpwZnI9saWqJh2ABavtnKZ1CtAY2VA8gmEqQeqs2hjdiNHAmRxR2wARAQABwsFl
 BBgBAgAPBQJajA8kAhsMBQkSzAMAAAoJEPvWWrhhCv7GhpYP/1tH/Kc35OgWu2lsgJxR9Z49
 4q+yYAuu11p0aQidL5utMFiemYHvxh/sJ4vMq65uPQXoQ3vo8lu9YR/p8kEt8jbljJusw6xQ
 iKA1Cc68xtseiKcUrjmN/rk3csbT+Qj2rZwkgod8v9GlKo6BJXMcKGbHb1GJtLF5HyI1q4j/
 zfeu7G1gVjGTx8e2OLyuBJp0HlFXWs2vWSMesmZQIBVNyyL9mmDLEwO4ULK2quF6RYtbvg+2
 PMyomNAaQB4s1UbXAO87s75hM79iszIzak2am4dEjTx+uYCWpvcw3rRDz7aMs401CphrlMKr
 WndS5qYcdiS9fvAfu/Jp5KIawpM0tVrojnKWCKHG4UnJIn+RF26+E7bjzE/Q5/NpkMblKD/Y
 6LHzJWsnLnL1o7MUARU++ztOl2Upofyuj7BSath0N632+XCTXk9m5yeDCl/UzPbP9brIChuw
 gF7DbkdscM7fkYzkUVRJM45rKOupy5Z03EtAzuT5Z/If3qJPU0txAJsquDohppFsGHrzn/X2
 0nI2LedLnIMUWwLRT4EvdYzsbP6im/7FXps15jaBOreobCaWTWtKtwD2LNI0l9LU9/RF+4Ac
 gwYu1CerMmdFbSo8ZdnaXlbEHinySUPqKmLHmPgDfxKNhfRDm1jJcGATkHCP80Fww8Ihl8aS
 TANkZ3QqXNX2
Message-ID: <9b0b1ad8-2be3-5b47-5e2b-b1de1052d1b9@o2.pl>
Date: Mon, 3 Jun 2019 17:47:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <41206ECE-4CD8-41A5-AE4B-2EFE0EC00A6A@mnot.net>
Content-Type: multipart/alternative;
 boundary="------------0D6862A0076D5B2E04FD2B9A"
Content-Language: pl-PL
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/V7uG17KZw3bZp78U8Jnc1iEZzPQ>
Subject: [Doh] Proposal: DNS configuration string
Precedence: list

This is a multi-part message in MIME format.
--------------0D6862A0076D5B2E04FD2B9A
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

There are many configuration parameters involved in DoH.
After encapsulating them in a single string, it is easier for the user
to set a custom DoH resolver, among other benefits (which I
elaborated on in the original e-mail).

W dniu 03.06.2019 o 00:53, Mark Nottingham pisze:

> Why not just convey this separately -- why does it have to be in the URL?
>
>> On 2 Jun 2019, at 7:44 pm, Mateusz Jończyk <mat.jonczyk@o2.pl> wrote:
>>
>> Signed PGP part
>> Hello,
>>
>> Currently, there are multiple ways of resolving DNS queries:
>>
>> 	• old port-53 DNS,
>> 	• DNS over TLS,/
>> 	• DNS over HTTPS.
>> Some of these accept additional parameters, such as server certificate information 
>> (which may be necessary when using local DoH / DoT servers). These parameters are 
>> server-specific --- when configuring multiple servers, each of them may need 
>> different certificate information.
>>
>> I would argue that it would be beneficial to embed all such parameters into a 
>> single server specification string. The user would be able to copy-paste them, 
>> for example from the website of their chosen DNS resolver, a file provided by 
>> their sysadmin or from their router configuration GUI. A DHCP server could advertise 
>> the string in a single field. Additionally, an application could pass the whole 
>> string to a DNS-handling library. That way the application would not have to 
>> implement support for all DNS configuration parameters on its own (with complex 
>> GUIs) and new parameters (or even new DNS resolver types) could be supported by 
>> the program after a library upgrade. This would also simplify configuration file 
>> structure (allowing for a single server per line).
>>
>> Some examples [3]:
>>
>> 	• doh://dnsserver.example.net/dns-query{?dns};ip=1.2.3.4;root-cert=zdYsea0CQufOmBpLdLfu/q3tOOdxbBCuZNhAa+YuQWo
>> 	• dns://1.2.3.4;valid-for=_nodot,.some-company
>>
>> I would like to propose to use a semicolon ';' as the separator between 
>> a resolver address (or an URI template) and resolver parameters. Theoretically, 
>> a DoH URI Template could contain a semicolon, but that should be very rare [1]. In such cases, the semicolon would be percent-encoded as "%3B".
>>
>> Parameter explanation:
>>
>> 	• ip - IP of the DoH resolver, used for bootstrapping,
>> 	• root-cert - fingerprint of the root certificate of the 
>> DoH server (specified in a similar way as in HTTP certificate pinning),
>> 	• valid-for - which domain names should be resolved by this 
>> server: in this example all names that do not contain a dot ("_nodot") [4] as well as all domains that end with ".some-company".
>>
>> What do You think?
>>
>> Greetings,
>>
>> Mateusz
>>
>>
>>
>>
>>
>> [1] A URI segment that begins with a semicolon is called a path parameter. An example (taken from [2]) would be:
>>
>>         http://www.mysite.com/admin/UpdateUserServlet;jsessionid=OI24B9ASD7BSSD
>>
>> The URI template specification (RFC6570) supports expansion of path parameters with a syntax like:
>>
>>         http://example.com/{;who}
>>
>> [2] https://doriantaylor.com/policy/http-url-path-parameter-syntax
>>
>> [3] The DoH specification requires that:
>>
>>     "This protocol MUST be used with the https scheme URI [RFC7230]."
>>
>> but I assume that using "doh://" does not break this as the statement is really 
>> concerned with using encryption and not the "https://" string. 
>>
>> [4] The first character is intentionally "_" because it cannot exist in valid domain names.
>>
>>
>>
>>
> --
> Mark Nottingham   https://www.mnot.net/
>
>

--------------0D6862A0076D5B2E04FD2B9A
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>There are many configuration parameters involved in DoH. <br>
      After encapsulating them in a single string, it is easier for the
      user <br>
      to set a custom DoH resolver, among other benefits (which I <br>
      elaborated on in the original e-mail).</p>
    <p>W dniu 03.06.2019 o 00:53, Mark Nottingham pisze:</p>
    <blockquote type="cite"
      cite="mid:41206ECE-4CD8-41A5-AE4B-2EFE0EC00A6A@mnot.net">
      <pre class="moz-quote-pre" wrap="">Why not just convey this separately -- why does it have to be in the URL?

</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">On 2 Jun 2019, at 7:44 pm, Mateusz Jończyk <a class="moz-txt-link-rfc2396E" href="mailto:mat.jonczyk@o2.pl">&lt;mat.jonczyk@o2.pl&gt;</a> wrote:

Signed PGP part
Hello,

Currently, there are multiple ways of resolving DNS queries:

	• old port-53 DNS,
	• DNS over TLS,/
	• DNS over HTTPS.
Some of these accept additional parameters, such as server certificate information 
(which may be necessary when using local DoH / DoT servers). These parameters are 
server-specific --- when configuring multiple servers, each of them may need 
different certificate information.

I would argue that it would be beneficial to embed all such parameters into a 
single server specification string. The user would be able to copy-paste them, 
for example from the website of their chosen DNS resolver, a file provided by 
their sysadmin or from their router configuration GUI. A DHCP server could advertise 
the string in a single field. Additionally, an application could pass the whole 
string to a DNS-handling library. That way the application would not have to 
implement support for all DNS configuration parameters on its own (with complex 
GUIs) and new parameters (or even new DNS resolver types) could be supported by 
the program after a library upgrade. This would also simplify configuration file 
structure (allowing for a single server per line).

Some examples [3]:

	• doh://dnsserver.example.net/dns-query{?dns};ip=1.2.3.4;root-cert=zdYsea0CQufOmBpLdLfu/q3tOOdxbBCuZNhAa+YuQWo
	• dns://1.2.3.4;valid-for=_nodot,.some-company

I would like to propose to use a semicolon ';' as the separator between 
a resolver address (or an URI template) and resolver parameters. Theoretically, 
a DoH URI Template could contain a semicolon, but that should be very rare [1]. In such cases, the semicolon would be percent-encoded as "%3B".

Parameter explanation:

	• ip - IP of the DoH resolver, used for bootstrapping,
	• root-cert - fingerprint of the root certificate of the 
DoH server (specified in a similar way as in HTTP certificate pinning),
	• valid-for - which domain names should be resolved by this 
server: in this example all names that do not contain a dot ("_nodot") [4] as well as all domains that end with ".some-company".

What do You think?

Greetings,

Mateusz





[1] A URI segment that begins with a semicolon is called a path parameter. An example (taken from [2]) would be:

        <a class="moz-txt-link-freetext" href="http://www.mysite.com/admin/UpdateUserServlet;jsessionid=OI24B9ASD7BSSD">http://www.mysite.com/admin/UpdateUserServlet;jsessionid=OI24B9ASD7BSSD</a>

The URI template specification (RFC6570) supports expansion of path parameters with a syntax like:

        <a class="moz-txt-link-freetext" href="http://example.com/">http://example.com/</a>{;who}

[2] <a class="moz-txt-link-freetext" href="https://doriantaylor.com/policy/http-url-path-parameter-syntax">https://doriantaylor.com/policy/http-url-path-parameter-syntax</a>

[3] The DoH specification requires that:

    "This protocol MUST be used with the https scheme URI [RFC7230]."

but I assume that using "doh://" does not break this as the statement is really 
concerned with using encryption and not the "https://" string. 

[4] The first character is intentionally "_" because it cannot exist in valid domain names.




</pre>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">--
Mark Nottingham   <a class="moz-txt-link-freetext" href="https://www.mnot.net/">https://www.mnot.net/</a>


</pre>
    </blockquote>
  </body>
</html>

--------------0D6862A0076D5B2E04FD2B9A--