Re: [Doh] WGLC on draft-ietf-doh-dns-over-https

[Mateusz Jończyk <mat.jonczyk@o2.pl>]

Sara Dickinson on Fri, 04 May 2018 17:03 UTC wrote:
> The text in the latest GitHub version of the draft now uses phrases like "a
> client MUST specifically authorize DNS API servers”.
>
> I’m not clear if there is any difference between ‘authorizing’ a server and
> just using a server? If there is some subtlety here then I’d like to
> understand if but if not I created
> https://github.com/dohwg/draft-ietf-doh-dns-over-https/pull/174 to simplify
> the text and also put the discussion of selection of server in its own
> section.

This text is unclear also to me. I cannot really understand what is meant by the
following sentence:

	For HTTP requests initiated by the DNS API client this authorization is
	implicit in the selection of URI.

Should I read it so: "by selecting a DNS API server URI the client is implicitly
authorizing the server", whatever this means in practice?

On the other hand, the wording proposed by Sara Dickinson looks too verbose to
me and is unclear also. In the following sentence:

	Before using a DNS API server for DNS resolution, the client MUST
	establish that the HTTP request URI is a trusted service for the DOH
	query, [...]

what should the phrase "is a trusted service for the DOH query" mean?
Is it possible that for some DOH queries the request URI is trusted and for some
others isn't?


I would propose simply the following text for the "# Security" section:
	When DNSSEC is not used, a DNS API server can give the client invalid
	data as a response to a DNS query. Therefore, a DNS API client SHOULD
	carefully determine which DNS API server(s) it trusts. For example, a
	DNS API client can have trusted DNS API server(s) preconfigured.

I suppose that most computer users won't know what a DNS is and won't configure
a DNS API server themselves. Therefore "explicit configuration" in practice
means "preconfigured DNS API server(s)".

Greetings,
Mateusz Jończyk