DoH and PAC
Guoye Zhang <guoye_zhang@apple.com> Mon, 05 September 2022 18:09 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B8C4C15258B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 5 Sep 2022 11:09:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.633
X-Spam-Level:
X-Spam-Status: No, score=-5.633 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3U11mBXXYhUe for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 5 Sep 2022 11:09:34 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ADB1C14CF03 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 5 Sep 2022 11:09:33 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1oVGUF-00DLui-IQ for ietf-http-wg-dist@listhub.w3.org; Mon, 05 Sep 2022 18:06:19 +0000
Resent-Date: Mon, 05 Sep 2022 18:06:19 +0000
Resent-Message-Id: <E1oVGUF-00DLui-IQ@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <guoye_zhang@apple.com>) id 1oVGUE-00DLtl-7e for ietf-http-wg@listhub.w3.org; Mon, 05 Sep 2022 18:06:18 +0000
Received: from rn-mailsvcp-ppex-lapp45.rno.apple.com ([17.179.253.49] helo=rn-mailsvcp-ppex-lapp45.apple.com) by titan.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <guoye_zhang@apple.com>) id 1oVGUC-00B87y-P1 for ietf-http-wg@w3.org; Mon, 05 Sep 2022 18:06:17 +0000
Received: from pps.filterd (rn-mailsvcp-ppex-lapp45.rno.apple.com [127.0.0.1]) by rn-mailsvcp-ppex-lapp45.rno.apple.com (8.16.1.2/8.16.1.2) with SMTP id 285I1V9k006902; Mon, 5 Sep 2022 11:06:03 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : content-type : content-transfer-encoding : mime-version : subject : message-id : date : cc : to; s=20180706; bh=xZExJ4BSgMggqs7SKzAn1saWgb4xGc8YVFam938k/+Y=; b=fDsfH3csihH0rlSaZx8Z7MEYf25MuoWw0er53Dy6Xck/XP2dZCjOEUvGLCbr0m8l31pA /mpKhIyPK2Ah7K6oVUhlKUFDOf/+4eHM40ffTAv9S9pK1w1wOdqGu75Wozs4clXndYj+ Y81DLWlqM52J5TCtH7SHNa0XE5cWlfggE80I1+HM2XoGFmNDcqey4NVLdMgdM3tNs3J9 ZbKU2TDxTjjnWMrcuialon41JEQ4btp51TEHLqxoHGXCybFpfRkYEXIhnO/Z/mdk4Zo9 tn0lPtQrD1L1hJBT1Ly4rQ70Zwk4eKsteaIQi0hCfaykmqLy0dRekNXb5tIsE6S4F/98 gA==
Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by rn-mailsvcp-ppex-lapp45.rno.apple.com with ESMTP id 3jc57rs17w-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 05 Sep 2022 11:06:03 -0700
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) with ESMTPS id <0RHR0103B0Y2Z160@rn-mailsvcp-mta-lapp02.rno.apple.com>; Mon, 05 Sep 2022 11:06:02 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) id <0RHR006000RBG900@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Mon, 05 Sep 2022 11:06:02 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 2a152226d9ea59fb589454d9ebfae0d8
X-Va-E-CD: 3e6b665358d0448cab321cedd8883422
X-Va-R-CD: a730628256fe42c437304a64036c420d
X-Va-CD: 0
X-Va-ID: 67ef36e4-c05c-4bf6-a8af-7a0b3acbe432
X-V-A:
X-V-T-CD: 2a152226d9ea59fb589454d9ebfae0d8
X-V-E-CD: 3e6b665358d0448cab321cedd8883422
X-V-R-CD: a730628256fe42c437304a64036c420d
X-V-CD: 0
X-V-ID: b51ebbd2-9e24-44a2-a11a-9c5f893ce64e
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.528,18.0.895 definitions=2022-09-05_12:2022-09-05,2022-09-05 signatures=0
Received: from smtpclient.apple (unknown [17.234.41.11]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) with ESMTPSA id <0RHR00QB40Y19B00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Mon, 05 Sep 2022 11:06:02 -0700 (PDT)
From: Guoye Zhang <guoye_zhang@apple.com>
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: quoted-printable
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3731.200.64\))
Message-id: <A896A2AB-8E65-4C63-BE6A-B4086E14F51E@apple.com>
Date: Mon, 05 Sep 2022 11:06:01 -0700
Cc: doh@ietf.org
To: ietf-http-wg <ietf-http-wg@w3.org>
X-Mailer: Apple Mail (2.3731.200.64)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.528,18.0.895 definitions=2022-09-05_12:2022-09-05,2022-09-05 signatures=0
Received-SPF: pass client-ip=17.179.253.49; envelope-from=guoye_zhang@apple.com; helo=rn-mailsvcp-ppex-lapp45.apple.com
X-W3C-Hub-DKIM-Status: validation passed: (address=guoye_zhang@apple.com domain=apple.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.4
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1oVGUC-00B87y-P1 a5c10bb3a58b4326aa4ece765300318f
X-Original-To: ietf-http-wg@w3.org
Subject: DoH and PAC
Archived-At: <https://www.w3.org/mid/A896A2AB-8E65-4C63-BE6A-B4086E14F51E@apple.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40371
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi, Recently, we identified an issue that DNS over HTTPS (DoH) and Proxy Auto-Configuration (PAC) deadlock with each other. To briefly introduce what they are: As its name indicates, DoH is DNS queries over HTTPS; PAC is a JavaScript function where given a URL, it tells you whether we should go over a proxy or connect directly. The problem arises when both DoH and PAC are configured on the system. In order to fetch an HTTP resource, we first need to consult the PAC script. The PAC script is usually fetched from an HTTP URL and we are smart enough not to consult PAC script for itself. However, fetching the script does require DNS resolution which goes over DoH. DoH creates an HTTP connection and consults PAC and here is where it deadlocks. Another case is where PAC scripts can also manually initiate DNS resolution through JavaScript APIs like `dnsResolve()`. DoH depends on PAC and PAC depends on DoH. We have to break the chain somewhere, and the decision was to never use DoH in PAC: Fetching PAC script and JavaScript DNS APIs inside PAC always use cleartext DNS. Are there any other HTTP client implementations facing the same issue? What are your solutions? Thanks, Guoye Zhang
- DoH and PAC Guoye Zhang
- Re: [Doh] DoH and PAC Valentin Gosu
- Re: [Doh] DoH and PAC Guoye Zhang