Re: [Doh] [Technical Errata Reported] RFC8484 (6033)

Barry Leiba <barryleiba@computer.org> Mon, 30 March 2020 16:40 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF2023A186B for <doh@ietfa.amsl.com>; Mon, 30 Mar 2020 09:40:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.252
X-Spam-Level:
X-Spam-Status: No, score=0.252 tagged_above=-999 required=5 tests=[FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4w9XKy5qdVD5 for <doh@ietfa.amsl.com>; Mon, 30 Mar 2020 09:40:09 -0700 (PDT)
Received: from mail-io1-f68.google.com (mail-io1-f68.google.com [209.85.166.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 730B63A1900 for <doh@ietf.org>; Mon, 30 Mar 2020 09:40:09 -0700 (PDT)
Received: by mail-io1-f68.google.com with SMTP id q9so18490519iod.4 for <doh@ietf.org>; Mon, 30 Mar 2020 09:40:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DeBH//KLG40ULowTNg81wukONwdbM9p4uRds/YAiMUU=; b=IH2dMVwF6rp3EtfDfHR4c1TJiodnqax6AxTLrjOhCI+J/uFN8ufOmOnn/0zpe5dtyM Q92doF2Gm/yCWHe3WENRYYlzYobrdJWCar6YStb9Vuevj2B0FSFT3vly5gfXtVm7Idaa hUV8tK18CwH1U4f4dD6t8zFCZMjLkIq5O/OE9AbAlwdTPv5w5zh6rDJlEgUGVMjSZYAu CX1HERcZZ3TLtHo82OkQoKJKQcFwX0nI+a5N+leFzfEf/utdn5S5KiaBIdkhshbQ+UH0 7fuvkYxCFnS+nNx6iq9rK1syry/E9ssYdpu+lQlDQLEaqniGPT+yHHwVeKU6G5JEdo/b JAqQ==
X-Gm-Message-State: ANhLgQ3sw5Y+NFHNwskOV7o9E5dH28PjqKHVtRGJb1/VZO7nZGlvz+fI h0yC8X3ens6Ze7m9vIHK1QPsFO9mZ1jHl7rI9+A=
X-Google-Smtp-Source: ADFU+vubGHZpfnmY38jPHImbgcyI1cIUE9EQDd7TBcArQSv1afvREAAgOa+/DS5bnsRRadWWUCCgmzC7ei9cBSRMuLU=
X-Received: by 2002:a6b:2c52:: with SMTP id s79mr11113107ios.160.1585586408400; Mon, 30 Mar 2020 09:40:08 -0700 (PDT)
MIME-Version: 1.0
References: <20200330155304.45AD8F4074B@rfc-editor.org> <CALaySJJ3dAEebgyz==PoSqnhSzFiHcxh0kmynRYBcD6Vjvm+6w@mail.gmail.com>
In-Reply-To: <CALaySJJ3dAEebgyz==PoSqnhSzFiHcxh0kmynRYBcD6Vjvm+6w@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Mon, 30 Mar 2020 12:39:57 -0400
Message-ID: <CALaySJK-FNqt-uHOz6oqANj8Xpwt7BOQkO6Ut-iAZ_OY-arO5Q@mail.gmail.com>
To: mohamed.boucadair@orange.com
Cc: Paul Hoffman <paul.hoffman@icann.org>, Patrick McManus <mcmanus@ducksong.com>, Murray Kucherawy <superuser@gmail.com>, Ben Schwartz <bemasc@google.com>, Dave Lawrence <tale@dd.org>, doh@ietf.org, RFC Editor <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/tB1lGG6xtytMJAkTNyJSz6hL780>
Subject: Re: [Doh] [Technical Errata Reported] RFC8484 (6033)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2020 16:40:22 -0000

Re-sending to correct the correction to Mohamed's email address, which
was mistyped in the errata report and then by me.  Sigh.

Barry

On Mon, Mar 30, 2020 at 12:32 PM Barry Leiba <barryleiba@computer.org> wrote:
>
> The proposed change substantively changes the text and cannot be
> approved through an errata report.  My inclination is "Rejected", as I
> do believe the text says what it's intended to say (so it's not an
> erratum), but I could be convinced that "held for document update" is
> better if the document editors weigh in.
>
> In particular:
> > Forbidding discovery of URI outside the configuration contradicts the above excerpt. The text is as such incorrect.
> >
> > (6) Also, I suggest to remove "simply" from the text. Not sure what message is supposed to convey.
>
> "Simply" is critical, and addresses your line above.  Consider:
>
>    A DoH client MUST NOT use a different URI that was discovered outside
>    of the client's configuration
>
> That's your substitution, and *that* forbids discovery outside the
> configuration.  But with "simply", as written, it says that there must
> be another reason for using a different URI.  It can discover the URI
> from outside the configuration, but that can't be the only reason for
> using it.  That discovery has to be augmented by some other knowledge.
>
> Barry
>
> On Mon, Mar 30, 2020 at 11:53 AM RFC Errata System
> <rfc-editor@rfc-editor.org> wrote:
> >
> > The following errata report has been submitted for RFC8484,
> > "DNS Queries over HTTPS (DoH)".
> >
> > --------------------------------------
> > You may review the report below and at:
> > https://www.rfc-editor.org/errata/eid6033
> >
> > --------------------------------------
> > Type: Technical
> > Reported by: Mohamed Boucadair <mohamed.boucaadir@orange.com>
> >
> > Section: 3
> >
> > Original Text
> > -------------
> >    A DoH client MUST NOT use a different URI simply because it was
> >    discovered outside of the client's configuration (such as through
> >    HTTP/2 server push) or because a server offers an unsolicited
> >    response that appears to be a valid answer to a DNS query.
> >
> > Corrected Text
> > --------------
> >    A DoH client MUST NOT use a different URI that was discovered outside
> >    of the client's configuration (except via HTTP redirection discussed
> >    in Section 6.4 of [RFC7231]).  Also, the DoH client MUST ignore an
> >    unsolicited response (such as through HTTP/2 server push) that
> >    appears to be a valid answer to a DNS query unless that response
> >    comes from a configured URI (as described in Section 5.3).
> >
> > Notes
> > -----
> > (1) The intent of this text is confusing.
> >
> > (2) I checked the mailing list and found that the text was updated late in the publication process to address this comment: https://mailarchive.ietf.org/arch/msg/doh/f_V-tBgB-KRsLZhttx9tGt75cps/.
> >
> > (3) The example provided in the thread (server push) is related to the second part of the OLD text. It is mistakenly attached to the first part.
> >
> > (4) The push example may be interpreted as if server push is disallowed. This is conflicting with Section 5.3.
> >
> > Hence, this change:
> >
> > Also, the DoH client MUST ignore an
> >    unsolicited response (such as through HTTP/2 server push) that
> >    appears to be a valid answer to a DNS query ** unless that response
> >    comes from a configured URI (as described in Section 5.3) **.
> >
> > (5) An intuitive way to discover the URI outside the configuration is redirection.  RFC8484 indicates clearly the following:
> >
> >    The described approach is more than a tunnel over HTTP.  It
> >    establishes default media formatting types for requests and responses
> >    but uses normal HTTP content negotiation mechanisms for selecting
> >    alternatives that endpoints may prefer in anticipation of serving new
> >    use cases.  In addition to this media type negotiation, it ** aligns
> >    itself with HTTP features ** such as caching, **redirection**, proxying,
> >    authentication, and compression.
> >
> > Forbidding discovery of URI outside the configuration contradicts the above excerpt. The text is as such incorrect.
> >
> > (6) Also, I suggest to remove "simply" from the text. Not sure what message is supposed to convey.
> >
> > Instructions:
> > -------------
> > This erratum is currently posted as "Reported". If necessary, please
> > use "Reply All" to discuss whether it should be verified or
> > rejected. When a decision is reached, the verifying party
> > can log in to change the status and edit the report, if necessary.
> >
> > --------------------------------------
> > RFC8484 (draft-ietf-doh-dns-over-https-14)
> > --------------------------------------
> > Title               : DNS Queries over HTTPS (DoH)
> > Publication Date    : October 2018
> > Author(s)           : P. Hoffman, P. McManus
> > Category            : PROPOSED STANDARD
> > Source              : DNS Over HTTPS
> > Area                : Applications and Real-Time
> > Stream              : IETF
> > Verifying Party     : IESG