IETF Logo Mail Archive

Re: [Doh] [Ext] Re: Authentication in draft-ietf-doh-resolver-associated-doh-03.txt

Paul Hoffman <paul.hoffman@icann.org> Mon, 25 March 2019 16:15 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 230691203E3 for <doh@ietfa.amsl.com>; Mon, 25 Mar 2019 09:15:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u3Y3l9-5y66V for <doh@ietfa.amsl.com>; Mon, 25 Mar 2019 09:15:43 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C8B11200B3 for <doh@ietf.org>; Mon, 25 Mar 2019 09:15:43 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 25 Mar 2019 09:15:40 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Mon, 25 Mar 2019 09:15:40 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Ben Schwartz <bemasc@google.com>
CC: DoH WG <doh@ietf.org>
Thread-Topic: [Ext] Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
Thread-Index: AQHU4v8NErSydLS5/EmthYUYA3yQXaYc+eKAgAABcYA=
Date: Mon, 25 Mar 2019 16:15:40 +0000
Message-ID: <728F76D1-A87B-4EA5-AEEA-2775FB32DC00@icann.org>
References: <155341529409.18062.10657099011172813446@ietfa.amsl.com> <20190325110136.GA23793@laperouse.bortzmeyer.org> <08BD5718-CD1F-47B3-A4FB-4040F8E9FC4B@icann.org> <CAHbrMsD0hp6TAN+AGLSLjeqOjGJT79QMcaN21sOj77R8LXtFtw@mail.gmail.com>
In-Reply-To: <CAHbrMsD0hp6TAN+AGLSLjeqOjGJT79QMcaN21sOj77R8LXtFtw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: text/plain; charset="utf-8"
Content-ID: <078C80B71D565A42BEB5170A6E3DB69C@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/c7o2T9ZQQD30xXISHpa86r-tcZ8>
Subject: Re: [Doh] [Ext] Re: Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 16:15:45 -0000

> On Mar 25, 2019, at 5:10 PM, Ben Schwartz <bemasc@google.com> wrote:
> 
> On Mon, Mar 25, 2019 at 7:37 AM Paul Hoffman <paul.hoffman@icann.org <mailto:paul.hoffman@icann.org>> wrote:
> On Mar 25, 2019, at 12:01 PM, Stéphane Bortzmeyer <bortzmeyer@nic.fr <mailto:bortzmeyer@nic.fr>> wrote:
> > Otherwise, even after reading the whole thread "Reviewing
> > Resolver-Associated DOH", I don't understand why https is required in
> > section 2. We don't require DNSSEC in section 3, so why having
> > stronger requirments for HTTP? Since having certificates for IP
> > addresses will be difficult in practice, why not just accepting http
> > as well as https? (Or, <horror>https without cert. checking</horror>.)
> 
> The reason I didn't drop down to http: is that doing so evokes the <horror> response, even though you are quite correct that the other two methods given in this document do not offer any authentication. So, let me ask the WG:
> 
> Would this document be better off with all three methods being equally unauthenticated? Doing so would remove the "but you can't get IP address certificates!" argument that keeps coming up (even though that is overstated). Doing so would simplify the security considerations by making all three protocols have the same obvious weakness.
> 
> An alternative is to have two URI, one with https: and one with http:, and explain that trying the first might be a good idea but to fall back to the second if authentication fails.
> 
> Thoughts?
> 
> Given that the protocol is called "DNS over HTTPS", running it over unencrypted HTTP seems like a contradiction.  It also complicates any security status indication by introducing a mode that no longer offers any confidentiality benefit over standard DNS.

This may be a misunderstanding. The protocol in section 2 is not running DoH, it is for finding a DoH server, in this case, asking for data from a .well-known location. We can choose whatever protocol we want for that; in Section 3, we use DNS.

> Apart from security issues, insecure HTTP is generally restricted to HTTP/1.1.  DoH implementations are strongly encouraged to use HTTP/2, because HTTP/1.1 requires in-order responses.  Running DoH over HTTP/1.1 increases the likelihood of performance problems.

Again, this is not about running DoH.

v2.23.0 | Report a Bug | By Email