IETF Logo Mail Archive

Re: [Doh] Mirja Kühlewind's No Objection on draft-ietf-doh-dns-over-https-13: (with COMMENT)

"Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> Thu, 16 August 2018 09:15 UTC

Return-Path: <ietf@kuehlewind.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C27D6130E6A for <doh@ietfa.amsl.com>; Thu, 16 Aug 2018 02:15:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=ietf@kuehlewind.net header.d=kuehlewind.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tp_gx2wuf-aP for <doh@ietfa.amsl.com>; Thu, 16 Aug 2018 02:15:46 -0700 (PDT)
Received: from kuehlewind.net (kuehlewind.net [83.169.45.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A85E7130D7A for <doh@ietf.org>; Thu, 16 Aug 2018 02:15:45 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kuehlewind.net; b=LvNBmOP2/G2P5WN+zC2E4oy5FsGTwRrfrjdXlRH3ybJ9C+e/1L9j7obJcHwyQPJ2CnezvSxSClJ91yCl+eMfgadWDdCg7EQVoWbUachJwLUElhRJ22P5j26oZqMJxawbq7ApWkbEXyWhKZzUeTaFB8uQetiAozda79+EIqV01TA=; h=Received:Received:Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-PPP-Message-ID:X-PPP-Vhost;
Received: (qmail 30944 invoked from network); 16 Aug 2018 11:09:02 +0200
Received: from mue-88-130-61-168.dsl.tropolys.de (HELO ?192.168.178.24?) (88.130.61.168) by kuehlewind.net with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 16 Aug 2018 11:09:02 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
In-Reply-To: <CAOdDvNoqVxETNz4JxgrcZSRZ-Tb2+oQPcOCjjS3gH4z+YHcptQ@mail.gmail.com>
Date: Thu, 16 Aug 2018 11:09:01 +0200
Cc: Benjamin Schwartz <bemasc@google.com>, draft-ietf-doh-dns-over-https@ietf.org, DoH WG <doh@ietf.org>, The IESG <iesg@ietf.org>, doh-chairs@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <4FB2E0CA-CB88-4600-9931-562FC5C5F1A6@kuehlewind.net>
References: <153417233866.25070.3751592720564238859.idtracker@ietfa.amsl.com> <CAOdDvNoqVxETNz4JxgrcZSRZ-Tb2+oQPcOCjjS3gH4z+YHcptQ@mail.gmail.com>
To: Patrick McManus <pmcmanus@mozilla.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-PPP-Message-ID: <20180816090902.30935.65931@lvps83-169-45-111.dedicated.hosteurope.de>
X-PPP-Vhost: kuehlewind.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/pk22wnaM9XB7fYvCFXiaiW-OTMg>
Subject: Re: [Doh] Mirja Kühlewind's No Objection on draft-ietf-doh-dns-over-https-13: (with COMMENT)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2018 09:15:47 -0000

Hi Patrick,

> Am 13.08.2018 um 19:06 schrieb Patrick McManus <pmcmanus@mozilla.com>:
> 
> Thanks Mirja.
> 
> On Mon, Aug 13, 2018 at 10:58 AM, Mirja Kühlewind <ietf@kuehlewind.net> wrote:
> 
> One question:
> In case DoH doesn't work for some reason, is this supposed to fallback to DNS
> over TLS? I guess if the selected host name would allow detection of DNS and
> SNI is used, it wouldn't be too hard to block DoH requests....? Is that a
> concern?
> 
> 
> DoH doesn't proscribe any particular path to choosing servers and protocols (even for choosing the DoH server) - each protocol has different properties and particular servers might have properties only the configurer can understand (e.g. trust in the service, not just authentication) in the context of the endpoints it knows about. So whether fallback is suitable is something DoH can only really comment on by describing its properties (encrypted and authenticated transport).
> 
> There is no expectation that the same server run DNS service using more than one protocol (i.e. there is no expectation that you use the same host and ratchet down from doh, to dot, to plaintext tcp, to dns.)

Okay thanks for the explanation. I guess it is somewhere „hidden“ in doc that DoH-only servers might be a likely deployment scenario. Is that something worth mention explicitly?

> 
>  
> Also one smallish comment:
> As already brought up in the TSV-ART review (Thanks Ferando!) I would recommend
> to further clarify this sentence in section 5.1: "Using the GET method is
> friendlier to many HTTP cache implementations." What does "friendlier" mean...?
> Or at least maybe provide a forward reference to sec 6.1
> 
> roughly it means more likely to work for a variety of reasons... I'm not sure delving into those reasons really is helpful to the DoH reader - the important property is that HTTP caching works-well with GET and not-so-well with POST. Is friendly a bad word for that? its commonly used in the http and application space around caching afaict.

For me „friendly“ was just kind of a meaningless word in this context (and I respectively wasn’t aware that this word is commonly used). I don’t think you need to give any reasons but maybe it’s simply more clear to say „GET is more likely to be supported by many HTTP caches“?

Mirja



> 
> -P
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email