IETF Logo Mail Archive

Re: [Doh] No truncation for DNS over HTTPS

Massimiliano Fantuzzi <superfantuz@gmail.com> Thu, 22 March 2018 15:43 UTC

Return-Path: <superfantuz@gmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46234127076 for <doh@ietfa.amsl.com>; Thu, 22 Mar 2018 08:43:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5rj7GohW4KgU for <doh@ietfa.amsl.com>; Thu, 22 Mar 2018 08:43:12 -0700 (PDT)
Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0D212D94A for <doh@ietf.org>; Thu, 22 Mar 2018 08:43:11 -0700 (PDT)
Received: by mail-lf0-x22f.google.com with SMTP id j68-v6so13832164lfg.13 for <doh@ietf.org>; Thu, 22 Mar 2018 08:43:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=s1CAb0Wtu5DAjjaogZow1agJFvwW/YRgHBXPfF0zh/I=; b=ZWn4plZttxKA/6RMRMw2vrWGELD3mekRrU4NYvEZBQdEiR0TeYQSQ75iW45LmpKhOD qkG2V1sXdC7MWFr+dKL5xSZrRkuYbmYKYtVi18fmQ4+ZwS4rGWPobuEb5j5GB+D8k8l0 qxhn0WsUFAizryraK9jy0xuTb8dI33HQUul4iz/0Q6lCOB5YREsgxS/cmSc2QFya8EAo OqG+o8MxNjuYqsHw1O4tH1AF1ZqdwfzVm2VUlx5PMtCBnTHmHHN7lc4h1y3l2zQZaKqY cxR56N3ePYPqkhfUcBZ7tNBbRtjK4ifhCgxG0vGauN2uJXwDnNkH1cEbA4Od+fWRb/ej 7cVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=s1CAb0Wtu5DAjjaogZow1agJFvwW/YRgHBXPfF0zh/I=; b=Yda37DTYDXqYdkb+bIY5+aj42QRY2glDdz35HmhmRyN5X8hrccWUNqHVKpm1bE8TUP aA/0X3RCJycfC2y+3s8qd1YpXOoAeIS2tiVgwgN/LrkudRi4t9JjkoYjX7vKcUanwOel nkEFBlXVmehqSSjS3O5SlT3irvcL/KEeCL5OoQLDzSiYb1CpbawbgqOhoTSc9UmnIYVa yYC/RLz6s/Q4reYwKi9bVPqG2HCcMi33aTkPkpfqQJno9iUpMHwMyQUbwxM1P871tLXq Q5E0TAksrx7e3/EzpUa3ajjntVRR2M6RTgFJHMHRuDmGN6UlHirIsr9YL12g9h4AiMV/ igCw==
X-Gm-Message-State: AElRT7E454NoRUPZL9kA/0VPjPryyu+ByGsLrOD/oz+q1q2gi26BqK/f 1Mw88PoJ0BQbBMQ3u1aCumUmoXwixR5MGcX2tYE=
X-Google-Smtp-Source: AG47ELspvdf74xItU0h8RdrAfdmG0y5zW10MODbLZJ4H4qbxZlEdFKoaWpm2/OVIGHUHIiNsN7ZvB81I7nPDTchnVlo=
X-Received: by 10.46.34.70 with SMTP id i67mr16772676lji.143.1521733389839; Thu, 22 Mar 2018 08:43:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a19:1d8a:0:0:0:0:0 with HTTP; Thu, 22 Mar 2018 08:43:08 -0700 (PDT)
In-Reply-To: <26c28a74-632d-4c9c-2a64-36711180bcaa@bellis.me.uk>
References: <CAAObRXJDV5Oa_d_S12HT2jqBuO=-AHOuMH8eKrac3BZ2bDxixw@mail.gmail.com> <a8949b7b-5717-6d63-af70-984894e6a571@bellis.me.uk> <CAAObRXKTpo=xt_C=C1xhkeOFAV=B7_fq7r7nU24VE-7RpVqbBA@mail.gmail.com> <26c28a74-632d-4c9c-2a64-36711180bcaa@bellis.me.uk>
From: Massimiliano Fantuzzi <superfantuz@gmail.com>
Date: Thu, 22 Mar 2018 16:43:08 +0100
Message-ID: <CABwxwWiGKTf3=_C+5U-bc4b16b1sZrh+h0A9HzAJyyTpny5OEA@mail.gmail.com>
To: Ray Bellis <ray@bellis.me.uk>
Cc: Davey Song <songlinjian@gmail.com>, doh@ietf.org
Content-Type: multipart/alternative; boundary="f4030439a1f024f1ea0568022a95"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/XeJkNQ-PnAKp7A6f_kU4hXEEfSU>
Subject: Re: [Doh] No truncation for DNS over HTTPS
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 15:43:15 -0000

Hi Ray, list,

>The client shouldn't be able to tell the difference between a "native"
>DOH Server endpoint and one that's being proxied through some smart
>middleware to a DNS server that only speaks "normal" UDP and TCP
>wire-format queries.

That is key statement, shall be clear to everyone implementing clients-only
!

> That said (and as suggested a few messages back) a pool of persistent
> TCP connections between proxy and server would be preferable to using
> UDP and risking truncation.

Agree but driving towards TCP-only is not exactly desired either, is it ?
More largely, we look at future.
By the way, I agree to have two wireformats, UDP and TCP, helps the client
flagging/react quicker.

Today's DNS is *UDP and TCP only *wether DOH could benefit of other than
TCP-only transport.
IMHO, being liberal on any future transport, and be "sort of strict" on how
backend messaging has to happen, has negative effect of limiting UDP/DNS
initial usage.
In a sense, setting or handling TC bit and siizes should not even be task
of the DOH but demanded to the client implementation, what you think ?

What is the sense of passing a wireformat, if "extra intelligence" is
required outside of the specs of the proto ??
What's better than "forging" out the packet as-is in a pure DNS way ?
Ok you might skip the forgery part but you already have a good packet to
work with DNS standard stuff, why rework it further?

I also wrote this comment on >512 sizes, few minutes ago:
https://github.com/dohwg/draft-ietf-doh-dns-over-https/issues/110#issuecomment-375335739

Client implementation should be as easy and standard as possible. To copy
dig source code and make it dig-o-h just a joke.
Quick example, my pre-doh implementation used CURLlibs and system's
resolver, so easy that is almost ugly (server-only from a DNS point of
view).
Works on every DNS client (and TCP was left in the TODO, just for the sake
of precision).
AND as a plus, enables DOH client and server implementations (client C,
server PHP).
I changed nothing in how the local and remote systems acquire or query DNS
informations (i.e. DOH is already a proxy itself)

Quoting your last, Ray
> The client shouldn't be able to tell the difference
Proxy specific reasoning has always represented an "added complexity" to
become really transparent...

I believe re-describing truncation or mentioning how-to proxyfication
happens, are not primary goals in doh-draft, what are your thoughts ?
If (1035) then (DNS). If (HTTP) then (stateless).
 = burden of the client to find it's way through standards of DNS querying
(i.e. retry the same server after timeout, try next server and assume
broken, retry in TCP, whatever).

Sorry for long post.


With kind regards,
max


On Thu, Mar 22, 2018 at 4:02 PM, Ray Bellis <ray@bellis.me.uk> wrote:

> On 22/03/2018 14:51, Davey Song wrote:
> > Sorry. We are talking about two different things. One is about DOH as a
> > dns transport protocol. One is about the proxy use case.
> >
> > I'm told by the author that the doh draft is to define HTTPS as DNS
> > native transport, just as DNS UDP and DNS TCP, that's why I'm asking
> > more clarification on truncation.  There is nothing to do with proxy use
> > case.
>
> IMHO you can't separate the two.
>
> The client shouldn't be able to tell the difference between a "native"
> DOH Server endpoint and one that's being proxied through some smart
> middleware to a DNS server that only speaks "normal" UDP and TCP
> wire-format queries.
>
> [the analog is those using e.g. stunnel to provide DNS-over-TLS support
> as a front end to servers that don't natively support DNS-over-TLS]
>
> > If the DNS API server is deployed as a proxy, it is introduced as a doh
> > use case in another draft in dnsop:
> > https://tools.ietf.org/html/draft-ietf-dnsop-dns-wireformat-http-02
> >
> > In the doh proxy draft, it keeps the transparent principle which is
> > proposed in rfc5625 as well as full support on TCP proposed in s4.4.1 of
> > rfc5625. So the "WAN interface" speaking normal UDP must recognize TC
> > bit and be able to fall back to TCP. But the "LAN interface" speaking
> > DOH should not do truncation. The process of truncation for
> > stub-resolver should be done in the"LAN interface" of DNS API client, If
> > I understand correctly.
>
> I believe that's consistent with what I wrote in my second paragraph:
>
> "The alternative is that the proxy has to have sufficient smarts to
> recognise the returned +TC and re-issue the request over TCP to the
> backend DNS server."
>
> That said (and as suggested a few messages back) a pool of persistent
> TCP connections between proxy and server would be preferable to using
> UDP and risking truncation.
>
> > I will add your suggestion on doh proxy draft. It is recommended in
> > rfc5625 though.
>
> Look at who wrote that RFC :p
>
> Ray
>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>



-- 

*Massimiliano Fantuzzi*
*IT professional, expert in DB Linux and networks.*

*+41 76 754 1037 <%2B41%2076%20754%201037>*

v2.23.0 | Report a Bug | By Email