[Doh] "Selection of DNS API Server": make it a copy of "Security Considerations"

Mateusz Jończyk <mat.jonczyk@o2.pl> Tue, 22 May 2018 10:17 UTC

Return-Path: <mat.jonczyk@o2.pl>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFD00126B72 for <doh@ietfa.amsl.com>; Tue, 22 May 2018 03:17:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uA4K0LeXDwJf for <doh@ietfa.amsl.com>; Tue, 22 May 2018 03:17:18 -0700 (PDT)
Received: from mx-out.tlen.pl (mx-out.tlen.pl [193.222.135.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0EE2126CBF for <doh@ietf.org>; Tue, 22 May 2018 03:17:17 -0700 (PDT)
Received: (wp-smtpd smtp.tlen.pl 35871 invoked from network); 22 May 2018 12:17:13 +0200
Received: from acnx253.neoplus.adsl.tpnet.pl (HELO [192.168.1.22]) (mat.jonczyk@o2.pl@[83.10.177.253]) (envelope-sender <mat.jonczyk@o2.pl>) by smtp.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP for <doh@ietf.org>; 22 May 2018 12:17:13 +0200
To: "Hewitt, Rory" <rhewitt=40akamai.com@dmarc.ietf.org>, DoH WG <doh@ietf.org>
References: <CAHbrMsCxkogJ-fzubf7cPgvbeGAhWUFKV3crrmn4ee6=fDnqwQ@mail.gmail.com> <382ba525100a4561b086fe8b8b6527be@ustx2ex-dag1mb3.msg.corp.akamai.com>
From: =?UTF-8?Q?Mateusz_Jo=c5=84czyk?= <mat.jonczyk@o2.pl>
Openpgp: preference=signencrypt
Message-ID: <7606e9fa-7a11-34d0-b6a4-ae230dd3ac52@o2.pl>
Date: Tue, 22 May 2018 12:16:49 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <382ba525100a4561b086fe8b8b6527be@ustx2ex-dag1mb3.msg.corp.akamai.com>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TinrPcs7AGfN6gQa3hXmDTWSO4ToJ3qYi"
X-WP-MailID: 36a9fa7fe338277856a0113558181505
X-WP-AV: skaner antywirusowy Poczty o2
X-WP-SPAM: NO 000000A [cbPk]
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/smfjNuX1p8o7Y369-DcUf7Am_OQ>
Subject: [Doh] "Selection of DNS API Server": make it a copy of "Security Considerations"
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 May 2018 10:17:21 -0000

W dniu 21.05.2018 o 22:41, Hewitt, Rory pisze:
> I know I brought this up in 
> https://github.com/dohwg/draft-ietf-doh-dns-over-https/pull/174 and agreed to 
> leave it, but I see that Mateusz subsequently brought it up in 
> https://www.ietf.org/mail-archive/web/doh/current/msg00557.html...
> 
> I would really like to see Section 4 (Selection of DNS API Server) moved to be 
> within Section 9 (Security Considerations), perhaps as a subsection (9.1: 
> Selection of DNS API Server) 

Hello,
I was also planning to bring up something about these sections but I was busy.

Both section "Security Considerations" and section "Selection of DNS API Server"
specify which server the client may use but in a different way:

	[...] the client MUST
	establish that the HTTP request URI is a trusted service for the DOH
	query, in other words, a DNS API client MUST only use a DNS API server
	that is configured as trustworthy.

vs

	A client MUST NOT use arbitrary DNS API servers. Instead, a client MUST
	only use DNS API servers specified using mechanisms such as explicit
	configuration.

Such discrepancy is confusing.

If there should be a section "Selection of DNS API Server", the text there
should be just a repetition of what is said in "Security considerations" with a
reference to "Security considerations".

So I would propose the following text for section "Selection of DNS API Server":

	As specified in the section "Security considerations",
	a client MUST NOT use arbitrary DNS API servers.
	Instead, a client MUST only use DNS
	API servers specified using mechanisms such as explicit configuration.

I have sent a corresponding pull request:

	https://github.com/dohwg/draft-ietf-doh-dns-over-https/pull/184

Greetings,
Mateusz