[Doh] DoH client-server interoperability vs. strict HTTP parameter checking

Christoph <cm@appliedprivacy.net> Sat, 01 June 2019 12:36 UTC

Return-Path: <cm@appliedprivacy.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F8851202CE for <doh@ietfa.amsl.com>; Sat, 1 Jun 2019 05:36:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=appliedprivacy.net header.b=O4LmgajC; dkim=pass (2048-bit key) header.d=appliedprivacy.net header.b=PoMjASXZ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rm4yiMQbYcF4 for <doh@ietfa.amsl.com>; Sat, 1 Jun 2019 05:36:26 -0700 (PDT)
Received: from mx1.mailbox.org (mx1.mailbox.org [IPv6:2001:67c:2050:104:0:1:25:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D74912007C for <doh@ietf.org>; Sat, 1 Jun 2019 05:36:24 -0700 (PDT)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx1.mailbox.org (Postfix) with ESMTPS id 01F734F22C for <doh@ietf.org>; Sat, 1 Jun 2019 14:36:21 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= appliedprivacy.net; h=content-transfer-encoding:content-language :content-type:content-type:mime-version:date:date:message-id :subject:subject:from:from:received; s=v20171117; t=1559392570; bh=tfEkuTbeCyyDWxJ77bc4lodWEvPsctyQY/gfmx1NHRY=; b=O4LmgajCuczA q1cYB5TWNoTLk7nMK5DIdwRyTHU6dC+Ombr7mwxBwmcRKN1PEuR3Y9D6ZMm56Yc0 Ov8D9B98eVSquXkVZH9oj9CudFQrEH7r+rDKAal6Q4lsxC9Ce7r95wryA5ujTKXS PqzQWZ5QqXGieaLhhdBxzMC2LiOpcURQeW0Zn+9NxTKih2sUSQDjWxCggSN2F70h 12IvzdF1WLYRemCS01YdPCdTXxm1VI4QcZ0dXziM9uEIyP16EpLAF6nHvGGs8hYY MOn3D+043I7bvyhPMhmMg6SoglavhX9Cs35lSnUClqfnrTfF6PuQ8l9JAEyBUjtp vKQpZ56jcw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=appliedprivacy.net; s=v20171117; t=1559392581; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=tfEkuTbeCyyDWxJ77bc4lodWEvPsctyQY/gfmx1NHRY=; b=PoMjASXZskIC7VCBFb7p6ysbse9Ul0yH77ZCEzUz9wZEpzCLNMIlDDt6N6Z6vFWv/1SnE0 MuNNJMMX3KQT858KK9W3uKM2h8KIWSy1fd+Ix3R+eV2SIw9bDm9ah+U4gxhW75xSw5XOsy kNFbOjT4wRVC3cwiJrcGpZPr8QltzpsgWtvKR55iUP5srVpUj65ZQ6SvXlhlSDgeREZIwo BfHJdOSovWgp2iIIS44r2e3pUGYLdzPPU6+zJf8XfN8RzG0m+QUcIzYmWuzHH1AQ+U581t duAkD0JmgtAKPHKPR+ZTscuJwBti/bqDzol3l4WtEBfpyHhGMyUHI0M9NFdyRw==
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter06.heinlein-hosting.de (spamfilter06.heinlein-hosting.de [80.241.56.125]) (amavisd-new, port 10030) with ESMTP id y4tnMIrFpHYe for <doh@ietf.org>; Sat, 1 Jun 2019 14:36:10 +0200 (CEST)
To: doh@ietf.org
From: Christoph <cm@appliedprivacy.net>
Message-ID: <770d0bf0-0a93-4d9a-4cb1-1f1e44c584aa@appliedprivacy.net>
Date: Sat, 01 Jun 2019 12:36:00 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/naLd8rVW1HWmghlCs6qmtNq-5RE>
Subject: [Doh] DoH client-server interoperability vs. strict HTTP parameter checking
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Jun 2019 12:36:28 -0000

Hello,

we run a public DoH service and while running and comparing
different DoH server implementations in practice we noticed that
some have a higher error rate than others.
The error rate was measured by looking at the fraction of each HTTP
response code.

It turned out that those server implementations with a higher error rate
just do stricter HTTP parameter checking. Not necessarily the content of
the parameter but the list of parameters contained in the request.

The result is that some DoH clients are not compatible with some DoH
servers.

The error condition is caused by DoH clients that have additional HTTP
parameters in the request that is not specified in section 4.1 of
RFC8484 in combination with DoH server implementations that enforce the
absence of any additional parameters.

To increase interoperability we reached out to (some) affected DoH
client and server vendors but we would also like to hear opinions from
this WG.

Should DoH servers reject requests with a '400 Bad Request'
response when the request contains HTTP parameters not defined in RFC8484
or
should DoH servers be less strict and simply ignore additional HTTP
parameters and proceed with processing the relevant HTTP parameters
required to provide an answer?


thanks,
Christoph