On 08/11/2018 09:20 PM, Patrick McManus wrote: > * Page 15: > > It is the choice of a client to either > > perform full DNSSEC validation of answers or to trust the DoH > server > > to do DNSSEC validation and inspect the AD (Authentic Data) bit in > > the returned message to determine whether an answer was > authentic or > > not. > > Relying on the DoH server for DNSsec validation does not seem like a > good idea. > You want DNSsec to be end-to-end. > > > my understanding is that giving the client the choice between doing > DNSSEC validation and trusting the recursive to do so is standard DNS > practice. What I had in mind when making this comment is this: There seem to be anycast resolvers implementing DoH (e.g., CLoudflare's and others, if I understand correctly). Giving them the responsibility for DNSsec validation would seem to me as giving them way too much power (i.e., what if they were compromised and/or went evil?) > * Page 15 (Security Considerations): > > DoH essentialy switches from a connection-less transport (UDP) to a > connection-oriented one (TCP). > > I disagree a bit. It adds a third TCP based DNS based approach to the > DNS over TCP and DNS over TLS approaches already standardized so it is > not breaking new ground in that sense. To put it in a different way: * What would be the impact if an attacker were to DoS TCP-based resolution in the traditional case? (i.e., while UDP-based resolution still works) * What would be the impact if an attacker were to DoS (HTTPS/)TCP-based resolution in the DoH case? If the impact were the same, then just say that, and no need to worry. But my understanding is that in current deployments you normally only fall back to TCP when the UDP response was truncated, whereas with DoH, you rely 100% on TCP. > This means that now the server should take care > of all state-exhaustion attacks against TCP (e.g., take a look at: > https://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf > <https://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf>). > Defending > against such attacks maybe non-trivial. This should at least be > mentioned in > the security considerations. > > DoH seeks to use HTTPS substrate best practices in order to inherit the > well known properties and defenses of HTTPS. The first sentence of the > security considerations tries to say this "Running DNS over HTTPS relies > on the security of the underlying HTTP transport." I don't think it > makes sense to have each foo-over-http consider the baseline > considerations separately. I don't mean you need to elaborate on how to defend it. JUst noted that if you completely get rid of UDP-base resolution, then the TCP one (in this case DoH) becomes even more critical, and the impact of a DoS against TCP-based resolution is higher. And defending a stateful protocol like TCP against resource exhaustion attacks is non-trivial. > > > * Page 16:> > > HTTP [RFC7230] is a stateless application-level protocol and > > therefore DoH implementations do not provide stateful ordering > > guarantees between different requests. > > Are you meaning that requests that are pipelined could be responded in > different order? Something else? > > > one of the relevant things http means when it says it is stateless > (which iirc is the first sentence of 7230) is the requests themselves > can also be reordered by intermediaries or even routed onto different > connections.. some may hit various caches and not even be placed on the > connection. sometimes the 'intermediary' is the library or javascript > engine you are using - DoH is meant to be expressable at the semantic > layer of bodies and headers. This particular point was raised in > conjunction with dnsop's session signal draft which requires a stateful > DNS transport.. HTTPS is stateless message based (despite being layered > on TCP) and therefore we want to be clear DoH won't work for building a > session layer. (that draft is coordinated). Maybe I'm a bit confused. If, on the same connection, I send a request to resolve "A" and subsequently a request to resolve "B", the result of the later might come before than the result of the former? (I'm trying to understand what the "ordering guarantees" that are not provided with DoH). Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@xxxxxxxxxxxxxxx PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
