Re: [Doh] DoH and PAC
Valentin Gosu <valentin.gosu@gmail.com> Tue, 06 September 2022 10:58 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF744C1527A2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 6 Sep 2022 03:58:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.058
X-Spam-Level:
X-Spam-Status: No, score=-5.058 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cAuZgZQ0166A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 6 Sep 2022 03:58:01 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38550C1522A8 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 6 Sep 2022 03:58:00 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1oVWEk-00FdQg-9c for ietf-http-wg-dist@listhub.w3.org; Tue, 06 Sep 2022 10:55:22 +0000
Resent-Date: Tue, 06 Sep 2022 10:55:22 +0000
Resent-Message-Id: <E1oVWEk-00FdQg-9c@lyra.w3.org>
Received: from www-data by lyra.w3.org with local (Exim 4.94.2) (envelope-from <valentin.gosu@gmail.com>) id 1oVWEi-00FdPo-W1 for ietf-http-wg@listhub.w3.org; Tue, 06 Sep 2022 10:55:21 +0000
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <valentin.gosu@gmail.com>) id 1oVWED-00FdOQ-Lo for ietf-http-wg@listhub.w3.org; Tue, 06 Sep 2022 10:54:49 +0000
Received: from mail-oa1-x2b.google.com ([2001:4860:4864:20::2b]) by titan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <valentin.gosu@gmail.com>) id 1oVWEC-00BaC2-43 for ietf-http-wg@w3.org; Tue, 06 Sep 2022 10:54:49 +0000
Received: by mail-oa1-x2b.google.com with SMTP id 586e51a60fabf-11ee4649dfcso27238549fac.1 for <ietf-http-wg@w3.org>; Tue, 06 Sep 2022 03:54:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=StfLqKmer2Fpg0elaYtKyZ5+xLovfiBA2E/TFy9VUrQ=; b=TTEm+0KTzA93gLi2wYBtUAeI5rSs7Hm6XK/AxKLcXpIlSmsgM98vf9d7B3xH1zM7wb fwSkUbSuwzhoQvnhWmWCZvbTwMHfjI1Kb0l/2VgAx7l8kgjCA8WbK2a0QTazCZFyyc6h YoKOL39RIZNj2Y7nb5e47yN07kfoZ4sLYunaUgMOpLR7JwjlhShVjybZFAzB1pIn1MSu yIj1pZrCh2/hPSzprHt4wta33dPEVMt7RNrADZkmJGf9hjgsm4BMtG6/uW962+Awvcyd nXgZB21Tp8Gz+qWreXYo5Sfd8o1avEHGINhUppfLETHYNCj/3+7CEGQkSbZth9CXfWFC 1T6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=StfLqKmer2Fpg0elaYtKyZ5+xLovfiBA2E/TFy9VUrQ=; b=u/z01jGCqRAgO9+rB1x+LXnFfpRnFq1IZ6nE+ZkqGgdjpqeB+0ugG4SU9BhZvOa2yw zaODfh+iB3iUcXEWlW6mJUB4CCoP4I1wsEEXK/0tsD9KvFuZIr0CEQg2PgBWKetTZRKT Gut3HYL6qtmHyQB16JqDKUMm9VgPY8+cTSz2wQM4KaSPUW40zdYbZ1MDDkAm9Nvr+8+t npTDvKMide4mvJtMC+UulNwEcD39PiuCdluHc374EvVhOE9NytXcTwbuqlca8GdCnkfV xaNHMXgcU8LK4HrA4i4TQYCFvViAHtpthWo8C+v1ZC3LfVfQVu7AlEvLcN54L9OBJmF8 /YyQ==
X-Gm-Message-State: ACgBeo1avdkNN5a+nlBwd4ah8eLnj1Xru6d/mm/sjWeqDYBMHSdRRELB 4f4CTtiEB2IJdWtdmWNYYD/gjo8PXTd7fKKfS/4=
X-Google-Smtp-Source: AA6agR5KVehpqJHd/tYuJaYqgiw8bYHca1BY2eLEbTp08GRtDkuNWTSabCvCSZhRb34tW+oGVlYlCaHtVBaOXwvzFhU=
X-Received: by 2002:a05:6808:e90:b0:345:6ee0:9a68 with SMTP id k16-20020a0568080e9000b003456ee09a68mr10341370oil.173.1662461676939; Tue, 06 Sep 2022 03:54:36 -0700 (PDT)
MIME-Version: 1.0
References: <A896A2AB-8E65-4C63-BE6A-B4086E14F51E@apple.com>
In-Reply-To: <A896A2AB-8E65-4C63-BE6A-B4086E14F51E@apple.com>
From: Valentin Gosu <valentin.gosu@gmail.com>
Date: Tue, 06 Sep 2022 12:54:25 +0200
Message-ID: <CACQYfi+hc0PYiPqeQwWb-Wvzq451ttaaejoc2X9Ta06gHVZVDA@mail.gmail.com>
To: Guoye Zhang <guoye_zhang=40apple.com@dmarc.ietf.org>
Cc: ietf-http-wg <ietf-http-wg@w3.org>, doh@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b4f03f05e800057d"
Received-SPF: pass client-ip=2001:4860:4864:20::2b; envelope-from=valentin.gosu@gmail.com; helo=mail-oa1-x2b.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=valentin.gosu@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1oVWEC-00BaC2-43 f977694ccd7d1ab65db134263ef41d5a
X-caa-id: 1362c65d52
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [Doh] DoH and PAC
Archived-At: <https://www.w3.org/mid/CACQYfi+hc0PYiPqeQwWb-Wvzq451ttaaejoc2X9Ta06gHVZVDA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40377
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Guoye, We had the same problem in Firefox, and our solution was the same [1]. Given the way PAC is used I think not using DoH makes sense. We also had a similar deadlock with OCSP [2], where you need to wait for the OCSP check for the DoH server's certificate, but that OCSP check also needs to resolve DNS. Cheers! [1] https://searchfox.org/mozilla-central/rev/3f9dcc016dd96a0336d46f4a19aeabdd796ab9e9/netwerk/base/ProxyAutoConfig.cpp#237-242 [2] https://searchfox.org/mozilla-central/rev/3f9dcc016dd96a0336d46f4a19aeabdd796ab9e9/netwerk/protocol/http/HttpBaseChannel.cpp#488-494 On Mon, 5 Sept 2022 at 20:06, Guoye Zhang <guoye_zhang= 40apple.com@dmarc.ietf.org> wrote: > Hi, > > Recently, we identified an issue that DNS over HTTPS (DoH) and Proxy > Auto-Configuration (PAC) deadlock with each other. > > To briefly introduce what they are: As its name indicates, DoH is DNS > queries over HTTPS; PAC is a JavaScript function where given a URL, it > tells you whether we should go over a proxy or connect directly. > > The problem arises when both DoH and PAC are configured on the system. In > order to fetch an HTTP resource, we first need to consult the PAC script. > The PAC script is usually fetched from an HTTP URL and we are smart enough > not to consult PAC script for itself. However, fetching the script does > require DNS resolution which goes over DoH. DoH creates an HTTP connection > and consults PAC and here is where it deadlocks. Another case is where PAC > scripts can also manually initiate DNS resolution through JavaScript APIs > like `dnsResolve()`. > > DoH depends on PAC and PAC depends on DoH. We have to break the chain > somewhere, and the decision was to never use DoH in PAC: Fetching PAC > script and JavaScript DNS APIs inside PAC always use cleartext DNS. > > Are there any other HTTP client implementations facing the same issue? > What are your solutions? > > Thanks, > Guoye Zhang > _______________________________________________ > Doh mailing list > Doh@ietf.org > https://www.ietf.org/mailman/listinfo/doh >
- DoH and PAC Guoye Zhang
- Re: [Doh] DoH and PAC Valentin Gosu
- Re: [Doh] DoH and PAC Guoye Zhang