Re: [Doh] A question on the mix of DNS and HTTP semantics
Tony Finch <dot@dotat.at> Sun, 18 March 2018 10:11 UTC
Return-Path: <dot@dotat.at>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BA791200A0 for <doh@ietfa.amsl.com>; Sun, 18 Mar 2018 03:11:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8i2h9tE92HLW for <doh@ietfa.amsl.com>; Sun, 18 Mar 2018 03:11:57 -0700 (PDT)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C26201275F4 for <doh@ietf.org>; Sun, 18 Mar 2018 03:11:43 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:38244) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1exVHy-000exR-eF (Exim 4.89_2) (return-path <dot@dotat.at>); Sun, 18 Mar 2018 10:11:42 +0000
Date: Sun, 18 Mar 2018 10:11:41 +0000
From: Tony Finch <dot@dotat.at>
To: Ted Hardie <ted.ietf@gmail.com>
cc: doh@ietf.org
In-Reply-To: <CA+9kkMB7awRfW9jUmY9Q-1p+w3VLtpG5DxhF3s7Q58nEMZeX3w@mail.gmail.com>
Message-ID: <alpine.DEB.2.11.1803181007050.16965@grey.csi.cam.ac.uk>
References: <CA+9kkMB7awRfW9jUmY9Q-1p+w3VLtpG5DxhF3s7Q58nEMZeX3w@mail.gmail.com>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/XAvUlLxrBfoAm_bvwJXeKtAs4sk>
Subject: Re: [Doh] A question on the mix of DNS and HTTP semantics
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 10:11:59 -0000
Yesterday at the IETF 101 Hakathon I was working on a DoH server. I've written up some notes at https://fanf.dreamwidth.org/123507.html for those who might be interested. I was going to send this as a separate thread, but it's basically the same topic as Ted's message, so I'm sending it as a reply. The approach I have taken is basically Ted's option (2). The rest of this message is what I wrote before reading Ted's note... One of the questions I bumped into was what kind of HTTP errors my server should generate. I have had another quick look through the draft but I couldn't see anything particularly addressing this issue. So here are some sketchy suggestions. In the following I say "browser-friendly" to mean `text/html` or `text/plain` or something like that, but definitely not `application/dns-udpwireformat`. If the request is not HEAD/GET/POST, I return 405 Method Not Allowed with a browser-friendly body. For POST requests with an unknown Content-Type, or GET requests with an unknown or missing `ct=` parameter, my server returns 415 Unsupported Media Type with a browser-friendly body. If the `dns=` parameter is missing from a GET request, the best response seems to be a browser-friendly 400 Bad Request. Sam Kington (not an IETFer afaik) suggested 422 Unprocessable Entity, but that implies the request is well-formed which isn't really the case. (My server returns 418 I'm A Teapot for fun.) Bad `base64url` encoding should produce the same response. If the request's Accept: header doesn't allow `application/dns-udpwireformat` then the response should be a browser-friendly 406 Not Acceptable. I think if the request passes these checks, the server knows it has a request in DNS format and a client that wants a response in DNS format, so it can just hand over to its DNS processing code. Regardless of the DNS RCODE in the response, the HTTP status code should be 200 OK. My logic up to this point is to send a browser-friendly response if the client seems to be unprepared to talk to a DoH server. There are some other cases - e.g. HTTP authentication or redirects - which ought to be handled by the HTTP layers before the request processing gets to the DoH logic, so in these cases the response bodies will naturally be browser-friendly. But perhaps it's worth noting them in the draft so that DoH clients should be prepared to handle them gracefully. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ - I xn--zr8h punycode Dover, Wight, Portland, Plymouth: Northeast, becoming cyclonic in Portland and Plymouth, 6 to gale 8. Moderate or rough. Occasional snow. Moderate or good, occasionally very poor.
- [Doh] A question on the mix of DNS and HTTP seman… Ted Hardie
- Re: [Doh] A question on the mix of DNS and HTTP s… Patrick McManus
- Re: [Doh] A question on the mix of DNS and HTTP s… Patrick McManus
- Re: [Doh] A question on the mix of DNS and HTTP s… Tony Finch
- Re: [Doh] A question on the mix of DNS and HTTP s… Ben Schwartz
- Re: [Doh] A question on the mix of DNS and HTTP s… Tony Finch
- Re: [Doh] A question on the mix of DNS and HTTP s… Ted Hardie
- Re: [Doh] A question on the mix of DNS and HTTP s… Daniel Stenberg
- Re: [Doh] A question on the mix of DNS and HTTP s… Patrick McManus
- Re: [Doh] A question on the mix of DNS and HTTP s… Ted Hardie
- Re: [Doh] A question on the mix of DNS and HTTP s… Stephane Bortzmeyer
- Re: [Doh] A question on the mix of DNS and HTTP s… Stephane Bortzmeyer
- Re: [Doh] A question on the mix of DNS and HTTP s… Patrick McManus
- Re: [Doh] A question on the mix of DNS and HTTP s… Ted Hardie
- Re: [Doh] [Ext] A question on the mix of DNS and … Paul Hoffman
- Re: [Doh] [Ext] A question on the mix of DNS and … Mike Bishop
- Re: [Doh] [Ext] A question on the mix of DNS and … Ted Hardie
- Re: [Doh] [Ext] A question on the mix of DNS and … Patrick McManus
- Re: [Doh] A question on the mix of DNS and HTTP s… Dave Lawrence
- Re: [Doh] [Ext] A question on the mix of DNS and … Stephane Bortzmeyer
- Re: [Doh] [Ext] A question on the mix of DNS and … Andrew Sullivan
- Re: [Doh] [Ext] A question on the mix of DNS and … Stephane Bortzmeyer
- Re: [Doh] [Ext] A question on the mix of DNS and … Patrick McManus
- Re: [Doh] [Ext] A question on the mix of DNS and … Ted Hardie
- Re: [Doh] [Ext] A question on the mix of DNS and … Andrew Sullivan
- Re: [Doh] [Ext] A question on the mix of DNS and … Petr Špaček
- Re: [Doh] [Ext] A question on the mix of DNS and … Paul Hoffman