On Fri, Sep 15, 2017 at 6:52 PM, Mark Nottingham <mnot@xxxxxxxx> wrote:
> On 16 Sep 2017, at 6:53 am, Ted Hardie <ted.ietf@xxxxxxxxx> wrote:
>
> You're making an assumption that I don't think is established, that the requests using HTTPS for DNS are not distinguishable from other resources. If they were keyed by something like dnsh://authority/query-target?RR (to pick on poor old RFC 4501 again), they would be in _javascript_ *even if they were not on the wire*. As before, I read the charter as saying that this protocol will use HTTP in the sense of <https://mnot.github.io/I-D/
bcp56bis/#used > -- i.e., defining a new URI scheme is out of scope. If that's not clear, it should be made explicit.
So, I don't that this is established. One mental model for this work is that DNS, having started with UDP and TCP as transports, has now added a set of additional secure transports. Two of those were defined in DPRIV; this defines another. From that perspective, any time an application requires a DNS name to be resolved, the relevant local code would try the set of secure transports until it got an answer. The application may not know which is used and does not specify it; it is simply getting the DNS answer back that allows it to proceed. The name of the group (DNS over HTTP), the justification at the beginning of the charter:
This will enable the domain name system to function over certain paths where existing DNS methods (UDP, TLS, and DTLS) experience problems. This will enable the domain name system to function over certain paths where existing DNS methods (UDP, TLS, and DTLS)
experience problems.
and Paul's input draft all point to that interpretation. Note especially that Paul's draft provides the UDP wireformat as response. To me, that strongly hints that the results of this get handed to the same bit of code that would take the UDP wireformat from other transports (like UDP) and do what it would have done with data retreived from any of those. That behavior makes sense for DNS transported over HTTP, where you are talking to an authoritative server or shared resolver over a new transport.
That order of operations does not make sense as a new resource type available to web applications, in part because they can't tell from examining the URI whether the resulting *resource* obeys CORS or not. There are serious attacks here that even DNSSEC won't catch, because a malicious server and cooperating _javascript_ app could give correct answers that are non performant (like the search engine instance on the most distant continent). And, if there really was a handoff to the local DNS subsystem for parsing and processing, the _javascript_ also wouldn't be able to tell whether the result they get from that subsystem is the one that the just retrieved (because a cache entry from some other system may have a different SOA record and be returned as a result instead). To avoid that, they would have build udp wireformat parsers into the downloadable _javascript_.
I think if you want the second, a way of making DNS resources available to web applications, you need a very different approach; it may be valuable, but I don't believe this charter covers it. If it is meant to, it needs a major re-write.
regards,
Ted