Re: [Doh] WG Review: DNS Over HTTPS (doh)

Cullen Jennings <fluffy@iii.ca> Tue, 26 September 2017 14:43 UTC

Return-Path: <fluffy@iii.ca>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED383126B71 for <doh@ietfa.amsl.com>; Tue, 26 Sep 2017 07:43:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.7
X-Spam-Level:
X-Spam-Status: No, score=-4.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wYW48ZmdRvSy for <doh@ietfa.amsl.com>; Tue, 26 Sep 2017 07:43:43 -0700 (PDT)
Received: from smtp109.iad3a.emailsrvr.com (smtp109.iad3a.emailsrvr.com [173.203.187.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5471E13307B for <doh@ietf.org>; Tue, 26 Sep 2017 07:43:43 -0700 (PDT)
Received: from smtp22.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp22.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 6150F6941; Tue, 26 Sep 2017 10:43:39 -0400 (EDT)
X-Auth-ID: fluffy@iii.ca
Received: by smtp22.relay.iad3a.emailsrvr.com (Authenticated sender: fluffy-AT-iii.ca) with ESMTPSA id 8E8F71999; Tue, 26 Sep 2017 10:43:38 -0400 (EDT)
X-Sender-Id: fluffy@iii.ca
Received: from [10.24.108.215] ([UNAVAILABLE]. [128.107.241.183]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:587 (trex/5.7.12); Tue, 26 Sep 2017 10:43:39 -0400
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Cullen Jennings <fluffy@iii.ca>
In-Reply-To: <EB3D58DB-1F8D-4E32-AE71-841EBCDDC3CA@vpnc.org>
Date: Tue, 26 Sep 2017 09:43:36 -0500
Cc: doh@ietf.org, IETF <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BF37A755-3C70-47CA-8FE6-8F1CAD8B6676@iii.ca>
References: <150549029332.2975.12341647131707994474.idtracker@ietfa.amsl.com> <CA+9kkMBJAP23GmGf_ix-DMeOMB=Rbas+qsBQhrVwZuA5-Cv7Mg@mail.gmail.com> <EB3D58DB-1F8D-4E32-AE71-841EBCDDC3CA@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/WL-79ZRgi_fJ6dlj2G7PHjxKVfU>
Subject: Re: [Doh] WG Review: DNS Over HTTPS (doh)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Sep 2017 14:43:46 -0000


If we need this to worry about what form of HTTP we are sending it over, we are doing it something very wrong - ether this or HTTP. And if this WG needs to worry about how the HTTP is transported over UPD, or TCP or v4 or v6, then we have the wrong charter. 



> On Sep 15, 2017, at 1:24 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> 
> On 15 Sep 2017, at 9:44, Ted Hardie wrote:
> 
> =>> This working group will standardize encodings for DNS queries and responses
>>> that are suitable for use in HTTPS. This will enable the domain name system
>>> to function over certain paths where existing DNS methods (UDP, TLS, and
>>> DTLS)
>>> experience problems.  The working group will re-use HTTPS methods, error
>>> codes, and other semantics to the greatest extent possible.  The use of
>>> HTTPS
>>> provides integrity and confidentiality, and it also allows the transport to
>>> interoperate with common HTTPS infrastructure and policy.
>>> 
>>> 
>> I appreciate the charter's use of "HTTPS" as a signal that these are
>> intended to be TLS-protected HTTP sessions.  I note, however, that there is
>> considerable ambiguity still present.  HTTPS can mean HTTP 1.1 over TLS,
>> HTTP/2 over TLS, and it may mean HTTP over QUIC at some point soon (in some
>> deployments it already means that).  The document named as input specifies
>> HTTP/2  over TLS.  While the working group may, of course, change that to
>> support HTTP 1.1 and/or QUIC, it might be useful for the charter to
>> indicate which of these is potentially in scope.
> 
> Yes, please. The charter should say "HTTP/2 over TLS". There is no reason for current browsers adding this feature to add it using an obsolete protocol. If someone wants to create a diff from the eventual protocol for HTTP 1.1, they can do that without forcing the document to add a comparison of the two transports to what is supposed to be a short, concise document.
> 
>> If the community is sure
>> now that HTTP over QUIC is in scope, for example, having that noted in the
>> charter by adding the QUIC working group to list of working groups to
>> consult would be useful.
> 
> The deadline for this WG is well ahead of when HTTP-over-QUIC will be finalized. Instead, when HTTP-over-QUIC is finalized, an update to this document should be pretty easy to produce.
> 
>> I will confess a bias here: while I think it is useful to match the
>> capability set of HTTP over QUIC to that of HTTP over other transports as
>> much as possible, I think making that a key part of this work is not a good
>> initial direction.  For one thing, there are some aspects of the QUIC
>> transport that are still in discussion, and I think it will slow this work
>> a bit to track those.  More importantly, though, I think this would be the
>> wrong way to do DNS over QUIC (draft-huitema-quic-dnsoquic-00 shows a
>> different approach).  Having QUIC be an early focus here may solidify an
>> approach that is simple, but not nearly as complete as we could deliver
>> with a DNS over QUIC.
>> 
>> (This is in part because of the choice to use the udp wireformat as the
>> baseline HTTP response here, rather than specifying DNS responses over a
>> transport construct like a QUIC stream.  The working group could, of
>> course, change that, but it would seriously shift the direction of its
>> input document to do so).
> 
> Fully agree.
> 
>>> Specification of how the DNS data may be used for new use cases, and
>>> the discovery of the DOH servers, are out of scope for the working group.
>>> 
>>> 
>> While it is useful to know that discovery is out of scope here, I think
>> having a quick community discussion now of where it might be in scope is
>> useful.  There are some potentially interesting questions buried in that,
>> especially in how we expect interworking with existing systems to go.
>> Note that even if the service discovery method provides an HTTPS URI for
>> the name server, the questions above related to HTTP version or transport
>> may bite you.  For server discovery based on address and port, the
>> situation is much the same unless the port is clearly marked as TCP or
>> UDP.  And if the server discovery includes no port at all, then a happy
>> eyeballs type method may be needed.
>> 
>> This may all fall into a combo of DHCP and DNSOP work, but giving somewhat
>> clean lines for it now seems like it will make the later work go faster.
> 
> If you want to propose a new WG for that, please do so; there are a lot of people interested in that topic. It definitely goes across multiple areas of interest, such as "discovery" and "addressing" and even "trust". Personally, I don't think it applies to a transport document.
> 
>>> Milestones:
>>> 
>>> Apr 2018 - Submit specification for performing DNS queries over HTTPS to
>>> the IESG for publication as PS
>>> 
>>> 
>> I admire the optimism in this.
> 
> It was not optimistic with the charter that was originally sent to the IESG; see <https://datatracker.ietf.org/doc/charter-ietf-doh/00-00/>. As more issues are added to the charter, it makes sense to have to extend the milestone deliverable.
> 
> --Paul Hoffman
>