Re: [Doh] A question on the mix of DNS and HTTP semantics

Patrick McManus <pmcmanus@mozilla.com> Sun, 18 March 2018 18:18 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95B1B126BF3 for <doh@ietfa.amsl.com>; Sun, 18 Mar 2018 11:18:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UzJca3h6nLpw for <doh@ietfa.amsl.com>; Sun, 18 Mar 2018 11:18:31 -0700 (PDT)
Received: from linode64.ducksong.com (www.ducksong.com [192.155.95.102]) by ietfa.amsl.com (Postfix) with ESMTP id 58DDD124D6C for <doh@ietf.org>; Sun, 18 Mar 2018 11:18:31 -0700 (PDT)
Received: from mail-oi0-f50.google.com (mail-oi0-f50.google.com [209.85.218.50]) by linode64.ducksong.com (Postfix) with ESMTPSA id A62933A051 for <doh@ietf.org>; Sun, 18 Mar 2018 14:18:30 -0400 (EDT)
Received: by mail-oi0-f50.google.com with SMTP id u73so12558380oie.3 for <doh@ietf.org>; Sun, 18 Mar 2018 11:18:30 -0700 (PDT)
X-Gm-Message-State: AElRT7F0CtmAncUCko+Wx0FxrKwXezbfoW/dfxhep7iwzdwMEEGUoJxR j8A/v9XsaQK6T+RbL8Qk3f6wGJmiyqr2+LB4f7w=
X-Google-Smtp-Source: AG47ELtVQpYXisJbvKvhLEN/29onKDYRXsB1Vs9qaMw07l1NUoCF/lbSEezfkVQbXUMELQFhAwVRYOgloWKucpdlPQA=
X-Received: by 10.202.178.195 with SMTP id b186mr5092183oif.337.1521397110295; Sun, 18 Mar 2018 11:18:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.66.212 with HTTP; Sun, 18 Mar 2018 11:18:29 -0700 (PDT)
In-Reply-To: <20180318164307.GB6724@laperouse.bortzmeyer.org>
References: <CA+9kkMB7awRfW9jUmY9Q-1p+w3VLtpG5DxhF3s7Q58nEMZeX3w@mail.gmail.com> <20180318164307.GB6724@laperouse.bortzmeyer.org>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Sun, 18 Mar 2018 18:18:29 +0000
X-Gmail-Original-Message-ID: <CAOdDvNr1GstB+g3pYi4w0bXuQ=Nz8HqgTRfWUX9TGu9YAYiz0w@mail.gmail.com>
Message-ID: <CAOdDvNr1GstB+g3pYi4w0bXuQ=Nz8HqgTRfWUX9TGu9YAYiz0w@mail.gmail.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: Ted Hardie <ted.ietf@gmail.com>, DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="001a113ce932525dda0567b3deca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/tdVY0IDHfeXxpuoUrD3xTBnyHNA>
Subject: Re: [Doh] A question on the mix of DNS and HTTP semantics
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 18:18:35 -0000

On Sun, Mar 18, 2018 at 4:43 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr>;
wrote:

> On Sat, Mar 17, 2018 at 10:42:08AM -0700,
>  Ted Hardie <ted.ietf@gmail.com>; wrote
>  a message of 182 lines which said:
>
> > Similarly, it was not clear to me whether a response like 451 could
> > contain a UDP wireformat body and, if so, what it would be.  If it
> > contains no body, the DNS implementation might continue attempting
> > to query for the information.  If it contains a REFUSED RCODE, in
> > contrast, it would see a policy-based error.
>
> That's an interesting example. If a DoH server replies 451, does it
> mean that access to this DoH service is blocked, for policy reasons,
> or that access to this specific DNS data is blocked, for policy
> reasons? In other words, can a HTTP response from a DoH server depend
> on the QNAME? (Or on the tuple {QCLASS, QTYPE, QNAME}?)
>
>
Unfortunately I don't think HTTP is going to clarify for you why HTTP is
giving the 451 - all you know is that the response body is not the answer
to your DoH request. The 451 could be based on anything in the HTTP request
- which includes the query params and the message body as well as the path
and origin. So you don't know what was wrong with the request in
particular. So it could imo be as general as the hostname or as specific as
a qtype.

But I can say concretely that the message body of the 451 isn't going to
clear that up in anything other than a human readable way.

-P