Howdy,
I'll try to snip pieces not salient without hindering attribution; hope that helps.On Mon, Sep 18, 2017 at 5:26 PM, Mark Nottingham <mnot@xxxxxxxx> wrote:
Hi Ted,
Sorry, threading is a bit confusing below (thanks, GMail).
> On 19 Sep 2017, at 3:20 am, Ted Hardie <ted.ietf@xxxxxxxxx> wrote:
>
> On Sat, Sep 16, 2017 at 8:00 PM, Mark Nottingham <mnot@xxxxxxxx> wrote:
>
> If it helps, I am happy to say "facilitating protocol". The mental model question for the charter is really:
>
> Does this add a new tool for DNS systems attempting resolution to use when previous efforts are blocked? So any DNS resolution might use it, whether from a browser, an app, or system call, but that those would not *specify* it be used?
That sounds like an implementation choice, not a protocol decision. What in the protocol could constrain that?
I'm talking about the goals here. If the intent is to have this facilitating protocol hot-swappable for any other method of interacting between a DNS client and DNS server, we have a set of tasks in front of the working group and a good idea of where the trade-offs should lean.
> Does this add a method for Web application to directly resolve DNS resource records
Well, once it's available over HTTP, that's certainly possible. A quick search for "DNS lookup online" shows many people doing that already, albeit with different formats.
> using a resolver self-identified in the _javascript_? So DNS resolutions are instantiated and consumed by _javascript_ without any intermediation by the local DNS resolver or the browser's DNS rules?
What does "a resolver self-identified in the _javascript_" mean, exactly?
Are you supposing some sort of rendezvous system where I can "install" a DOH resolver from one origin and have it affect requests sent to another?
Can I have _javascript_ retrieve a resource like https://dns.initial-origin.example/query-for-dns?www.major-search-engine.example then use the result in place of the browser's DNS routines or the system DNS routines for retrieving https://www.major-search-engine.example/ within that JavaScrit application? If that is possible, then I need to know where the DNS data retrieved can be reused and I need to know whether the rendering distinguishes in any way between data so retrieved and data retrieved by a more trusted element. Does the data end up in the browser's DNS cache? Does a hover over an element show that this URI would be using a _javascript_ supplied resolver to retrieve the location should I click?
Doing so isn't possible on the current Web, so enabling it would require some fairly heavy lifting at the W3C and/or WHATWG (which on the face of it, they're not likely to think is sane). I can only hope that defining such a thing is out of scope for this WG, as we truly don't have the expertise here.
Interestingly, that's not what I understood others' answer to be. Their view was that since https://dns.initial-origin.example/query-for-dns?www.major-search-engine.example was within the initial-origin, resources from it would be treated as same origin. If I understood correctly the code that would limit those resources to same origin isn't present and would have to run after the UDP wireformat was parsed (otherwise there are trivial attacks in returning additional data that cache poisons whatever the scope of use turns out to be).
> Does this charter aim for the working group to do both?
>
> As currently written, I see the charter describing 1. There has been an argument that it also do 2 or that 2 becomes possible when 1 is specified and is thus automatically part of the scope. If that is the case, I believe the charter needs a re-write to describe it.
See above.
>
> > The name of the group (DNS over HTTP), the justification at the beginning of the charter:
> >
> > This will enable the domain name system to function over certain paths where existing DNS methods (UDP, TLS, and DTLS) experience problems. This will enable the domain name system to function over certain paths where existing DNS methods (UDP, TLS, and DTLS)
> > experience problems.
> >
> > and Paul's input draft all point to that interpretation. Note especially that Paul's draft provides the UDP wireformat as response. To me, that strongly hints that the results of this get handed to the same bit of code that would take the UDP wireformat from other transports (like UDP) and do what it would have done with data retreived from any of those. That behavior makes sense for DNS transported over HTTP, where you are talking to an authoritative server or shared resolver over a new transport.
>
> I don't disagree that the charter lays out that the goal is to enable the use case of DNS using HTTP semantics -- that's hopefully uncontroversial.
>
> > That order of operations does not make sense as a new resource type available to web applications, in part because they can't tell from examining the URI whether the resulting *resource* obeys CORS or not.
>
> It's not clear why that's an important property. Why is it necessary?
>
>
> If it goes into a browser or system cache, it is an important property; it may also be important depending on the UI result. If the _javascript_-internal resolution process feeds other parts of the page, it may even be a problem.
When you say "cache", do you mean HTTP or DNS? I'm afraid I still don't get what you're looking for here.
I mean DNS cache. My apologies for the earlier inexactness.
> > There are serious attacks here that even DNSSEC won't catch, because a malicious server and cooperating _javascript_ app could give correct answers that are non performant (like the search engine instance on the most distant continent).
>
> Who would be consuming these answers? How is this different from configuring your system to use a malicious DNS resolver (either in an application or the OS)?
>
> Because the _javascript_ you download could pick the resolver. The OS and browser are largely trusted; the _javascript_ is largely not.
OK, this seems to indicate you *do* think that somehow arbitrary JS can take over DNS resolution for the system or browser. What led you to that conclusion?
The goal to use this as a swappable facilitating protocol for DNS resolution led me to that conclusion; in that usage, the resulting DNS data would populate the relevant DNS cache. Re-using the same system within _javascript_ naively would have very bad properties; some segregation to handle the different levels of trust is required.
>
> I don't know that browsers want to do that, mind you, I'm simple saying that the working group could decide that this was a reasonable facility to consider. Ruling out ways for the ecosystem to distinguish this from other web resources seems to be the wrong way to go, at least to me.
Again, I don't think this WG should be attempting to allow any sort of automated control of browser or system DNS resolution from the Web (e.g., JS, triggered by arbitrary URI schemes, mime types, whatever); I've seen zero desire from any implementer to allow that, it's fraught with security, privacy and other issues, and has dubious benefit.
Should I take it that you disagree with the assertion that if we build for goal 1 (a swappable facilitating protocol) that we have automatically built a mechanism that is callable within a _javascript_ application (which, as I understand it, Adam and others believe)?
The use case that I believe most have in mind is "as a user, I want to configure my [browser, OS] to use *this* DOH service for DNS resolution" -- where that configuration is manual; e.g., a configuration textbox or dropdown in the browser, or a file in /etc. It might be made more user-friendly; e.g., it could be automatic when the user goes into the ill-defined "private mode."
Would you consider a system in which the local browser or OS tested for the availability of a DOH server at a supplied address within scope (that would be one way to re-use the current DHCP-supplied servers, for example)?
The current charter allows that. I *think* the issues you're concerned about are in a very different area -- roughly, "automated control of DNS resolution." I'm not sure where you got the sense that this was on the table, but if it will help, write it out of the charter.
My concern isn't just that it be out of scope of the charter, its that it either be not in the capability set of the resulting work or well-handled in that context. Folks asserting that it could not be eliminated from the capability set for _javascript_ applications caused me to focus on the latter. If the work can be constrained such that this does not arise, so much the better.
regards,
Ted