Re: [Doh] WG Review: DNS Over HTTPS (doh)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Sep 16, 2017 at 8:00 PM, Mark Nottingham <mnot@xxxxxxxx> wrote:

> So, I don't that this is established.  One mental model for this work is that DNS, having started with UDP and TCP as transports, has now added a set of additional secure transports.  Two of those were defined in DPRIV; this defines another.  From that perspective, any time an application requires a DNS name to be resolved, the relevant local code would try the set of secure transports until it got an answer.  The application may not know which is used and does not specify it; it is simply getting the DNS answer back that allows it to proceed.

Every time people start talking in this manner and referring to HTTP as a "transport", I get flashbacks to WS-* and what a glorious failure that was.


If it helps, I am happy to say "facilitating protocol".  The mental model question for the charter is really:

Does this add a new tool for DNS systems attempting resolution to use when previous efforts are blocked?  So any DNS resolution might use it, whether from a browser, an app, or system call, but that those would not *specify* it be used?

Does this add a method for Web application to directly resolve DNS resource records using a resolver self-identified in the _javascript_?  So DNS resolutions are instantiated and consumed by _javascript_ without any intermediation by the local DNS resolver or the browser's DNS rules?

Does this charter aim for the working group to do both?

As currently written, I see the charter describing 1.  There has been an argument that it also do 2 or that 2 becomes possible when 1 is specified and is thus automatically part of the scope.  If that is the case, I believe the charter needs a re-write to describe it. 
 
> The name of the group (DNS over HTTP), the justification at the beginning of the charter:
>
> This will enable the domain name system to function over certain paths where existing DNS methods (UDP, TLS, and DTLS) experience problems. This will enable the domain name system to function over certain paths where existing DNS methods (UDP, TLS, and DTLS)
> experience problems.
>
> and Paul's input draft all point to that interpretation.  Note especially that Paul's draft provides the UDP wireformat as response.  To me, that strongly hints that the results of this get handed to the same bit of code that would take the UDP wireformat from other transports (like UDP) and do what it would have done with data retreived from any of those.  That behavior makes sense for DNS transported over HTTP, where you are talking to an authoritative server or shared resolver over a new transport.

I don't disagree that the charter lays out that the goal is to enable the use case of DNS using HTTP semantics -- that's hopefully uncontroversial.

> That order of operations does not make sense as a new resource type available to web applications, in part because they can't tell from examining the URI whether the resulting *resource* obeys CORS or not.

It's not clear why that's an important property. Why is it necessary?


If it goes into a browser or system cache, it is an important property; it may also be important depending on the UI result.  If the _javascript_-internal resolution process feeds other parts of the page, it may even be a problem.
 
> There are serious attacks here that even DNSSEC won't catch, because a malicious server and cooperating _javascript_ app could give correct answers that are non performant (like the search engine instance on the most distant continent).

Who would be consuming these answers? How is this different from configuring your system to use a malicious DNS resolver (either in an application or the OS)?

Because the _javascript_ you download could pick the resolver.  The OS and browser are largely trusted; the _javascript_ is largely not.
 
> And, if there really was a handoff to the local DNS subsystem for parsing and processing, the _javascript_ also wouldn't be able to tell whether the result they get from that subsystem is the one that the just retrieved (because a cache entry from some other system may have a different SOA record and be returned as a result instead).  To avoid that, they would have build udp wireformat parsers into the downloadable _javascript_.
>
> I think if you want the second, a way of making DNS resources available to web applications, you need a very different approach; it may be valuable, but I don't believe this charter covers it.  If it is meant to, it needs a major re-write.

I agree there are significant risks when using DNS. I think the question is what to do about it.

One thing the WG could do would be to write some Security Considerations about the different ways this could be sub-optimal or even dangerous.

I don't see how giving the protocol a new URI scheme avoids these risks, given that the defined resources would be available over HTTP still.


It gives the browser something to look at.  If it rejects udp-wireformat mime types being returned from HTTPS URIs but accepts them from dnsh URIs, it can handle the data differently.  I don't know that browsers want to do that, mind you, I'm simple saying that the working group could decide that this was a reasonable facility to consider.  Ruling out ways for the ecosystem to distinguish this from other web resources seems to be the wrong way to go, at least to me.

regards,

Ted

 
Cheers,

--
Mark Nottingham   https://www.mnot.net/




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]