idnits 2.17.1 draft-schinazi-httpbis-doh-preference-hints-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (13 July 2020) is 1380 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7234 (Obsoleted by RFC 9111) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Schinazi 3 Internet-Draft Google LLC 4 Intended status: Experimental N. Sullivan 5 Expires: 14 January 2021 J. Kipp 6 Cloudflare 7 13 July 2020 9 DoH Preference Hints for HTTP 10 draft-schinazi-httpbis-doh-preference-hints-02 12 Abstract 14 When using a publicly available DNS-over-HTTPS (DoH) server, some 15 clients may suffer poor performance when the authoritative DNS server 16 is located far from the DoH server. For example, a publicly 17 available DoH server provided by a Content Delivery Network (CDN) 18 should be able to resolve names hosted by that CDN with good 19 performance but might take longer to resolve names provided by other 20 CDNs, or might provide suboptimal results if that CDN is using DNS- 21 based load balancing and returns different address records depending 22 or where the DNS query originated from. This document attempts to 23 lessen these issues by allowing the web server to indicate to the 24 client which DoH server can best resolve its addresses. This 25 document defines an HTTP header field that enables web host operators 26 to inform user agents of the preferred DoH servers to use for 27 subsequent DNS lookups for the host's domain. 29 Discussion of this work is encouraged to happen on the ADD IETF 30 mailing list add@ietf.org or on the GitHub repository which contains 31 the draft: https://github.com/DavidSchinazi/draft-httpbis-doh- 32 preference-hints. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at https://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on 14 January 2021. 50 Copyright Notice 52 Copyright (c) 2020 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 57 license-info) in effect on the date of publication of this document. 58 Please review these documents carefully, as they describe your rights 59 and restrictions with respect to this document. Code Components 60 extracted from this document must include Simplified BSD License text 61 as described in Section 4.e of the Trust Legal Provisions and are 62 provided without warranty as described in the Simplified BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 67 1.1. Conventions and Definitions . . . . . . . . . . . . . . . 3 68 2. The DoH-Preference Header Field . . . . . . . . . . . . . . . 3 69 2.1. The max-age Directive . . . . . . . . . . . . . . . . . . 4 70 2.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . 4 71 3. Server Behavior . . . . . . . . . . . . . . . . . . . . . . . 4 72 3.1. Considerations For Choosing a Preferred DoH Server . . . 4 73 4. Client Behavior . . . . . . . . . . . . . . . . . . . . . . . 5 74 4.1. Fallback . . . . . . . . . . . . . . . . . . . . . . . . 5 75 5. Internationalization Considerations . . . . . . . . . . . . . 5 76 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 77 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 78 8. Normative References . . . . . . . . . . . . . . . . . . . . 6 79 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 7 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 82 1. Introduction 84 When using a publicly available DNS-over-HTTPS (DoH) server, some 85 clients may suffer poor performance when the authoritative DNS server 86 is located far from the DoH server. For example, a publicly 87 available DoH server provided by a Content Delivery Network (CDN) 88 should be able to resolve names hosted by that CDN with good 89 performance but might take longer to resolve names provided by other 90 CDNs, or might provide suboptimal results if that CDN is using DNS- 91 based load balancing and returns different address records depending 92 or where the DNS query originated from. This document attempts to 93 lessen these issues by allowing the web server to indicate to the 94 client which DoH server can best resolve its addresses. This 95 document defines an HTTP header field that enables web host operators 96 to inform user agents of the preferred DoH servers to use for 97 subsequent DNS lookups for the host's domain. 99 When a web server wishes its client to use a specific DoH server to 100 resolve its addresses, it can send the DoH-Preference header to 101 indicate that preference to the user agent. The header is not 102 prescriptive, it only indicates the server's preference to the user. 103 It also only applies to the web server's current hostname. 105 The header defined in this document is not intended to be used as a 106 discovery mechanism for clients learning about the existence of new 107 DoH servers. Instead, it is intended to be used as an optimization 108 technique for clients with support for multiple DoH servers who wish 109 to choose the most performant DNS server for a given query. 111 Discussion of this work is encouraged to happen on the ADD IETF 112 mailing list add@ietf.org or on the GitHub repository which contains 113 the draft: https://github.com/DavidSchinazi/draft-httpbis-doh- 114 preference-hints. 116 1.1. Conventions and Definitions 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 120 "OPTIONAL" in this document are to be interpreted as described in BCP 121 14 [RFC2119] [RFC8174] when, and only when, they appear in all 122 capitals, as shown here. 124 This document uses the Augmented BNF defined in [RFC5234] and updated 125 by [RFC7405] along with the "#rule" extension defined in Section 7 of 126 [RFC7230]. The rules below are defined in [RFC5234], [RFC7230], and 127 [RFC7234]: 129 OWS = 130 delta-seconds = 131 quoted-string = 132 token = 134 2. The DoH-Preference Header Field 136 An HTTPS origin can indicate its preference regarding DoH servers to 137 the client by adding an DoH-Preference header field to responses. 139 DoH-Preference = doh-uri *( OWS ";" OWS parameter ) 140 doh-uri = quoted-string 141 parameter = token "=" ( token / quoted-string ) 143 The "doh-uri" component consists of the DoH URI Template as defined 144 in [RFC8484]. 146 Sending multiple DoH-Preference header fields indicates that the 147 server prefers multiple DoH servers. They are sent in decreasing 148 order of preference. 150 2.1. The max-age Directive 152 The REQUIRED "max-age" directive specifies the number of seconds, 153 after the reception of the DoH-Preference header field, during which 154 the user agent caches the server's DoH preferences. 156 The syntax of the max-age directive's REQUIRED value (after quoted- 157 string unescaping, if necessary) is defined as: 159 max-age-value = delta-seconds 161 A max-age value of zero (i.e., "max-age=0") signals the user agent to 162 remove the DoH URI template from its cache. 164 2.2. Examples 166 The header below indicates that the user agent should consider 167 querying DNS results for the web server's hostname using 168 "dnsserver.example.net" for approximately six months. (Lines are 169 folded to fit.) 171 DoH-Preference: "https://dnsserver.example.net/dns-query{?dns}"; 172 max-age=15768000 174 3. Server Behavior 176 Web servers MAY send a DoH-Preference header to indicate to clients 177 that it would prefer they use that DoH server when resolving 178 addresses for the hostname of the web server. Web servers MAY send 179 multiple DoH-Preference headers. Web servers MUST NOT send the DoH- 180 Preference header in HTTP responses conveyed over a non-secure 181 transport. 183 3.1. Considerations For Choosing a Preferred DoH Server 185 The choice of DoH server can affect overall performance and 186 responsiveness as perceived by the client. Some example 187 considerations in choosing a preferred DoH server are: 189 * A DoH host specified as a host name rather than an IP address will 190 require one or more additional DNS resolutions when the cached DNS 191 entries for the resolver or resolvers expire. 193 * Support for extension mechanisms (e.g. EDNS(0)) may be desired. 195 * Clients, particularly mobile device clients, may frequently move 196 between networks that have different network paths to the DoH 197 server. 199 4. Client Behavior 201 If a client chooses to act on received DoH-Preference headers, it 202 SHOULD cache the server's hostname and the corresponding DoH URI 203 template and lifetime. It SHOULD then send subsequent DNS requests 204 for A and AAAA records for that host name to the provided DoH server, 205 until the cache entry expires after the time specified in the "max- 206 age" directive. Any received DoH-Preference header replaces and 207 overrides any and all information received in a previous DoH- 208 Preference header for the same host name and DoH URI template. 210 Clients MAY decide to only respect the DoH-Preference header for a 211 subset of vetted DoH servers. 213 Clients MUST NOT use the contents of the DoH-Preference header to 214 impact how it resolves other domain names. Clients MUST ignore the 215 DoH-Preference header in HTTP responses conveyed over a non-secure 216 transport. 218 If the DoH-Preference URI contains a host expressed as a host name 219 rather than as an IP address and that host name is resolved via DoH, 220 the DoH server might also specify a DoH-Preference header. This 221 means that respecting the DoH server recommendation could result in 222 an excessively long chain of DoH queries or a loop of DoH servers. 223 Clients SHOULD be capable of detecting a loop or an excessively long 224 chain of DoH servers and treat these conditions as a query failure. 226 4.1. Fallback 228 If resolution using the recommended DoH server fails, clients MUST 229 fall back and retry their query using another DNS resolution 230 mechanism. 232 5. Internationalization Considerations 234 An internationalized domain name that appears in the header field 235 MUST be expressed using A-labels; see Section 2.3.2.1 of [RFC5890]. 237 6. Security Considerations 239 The DoH-Preference header allows a web server to impact how a user 240 agent resolves DNS A and AAAA records for its own host name. Since 241 the web server has proven ownership of the domain name via its TLS 242 certificate and the DNS result that led to the initial connection, 243 impacting future DNS resolutions to the same host name has limited 244 security impact. 246 The potential exists for the DoH-Preference header to be used as a 247 form of web tracking. Because a DoH URI is chosen by the server, 248 cached by the client, and then subsequently contacted by the client, 249 a uniquely chosen DoH URI could identify a client even after other 250 client-side state has expired or been removed. Clients SHOULD expire 251 cached DoH URIs when other client state expires or is cleared by the 252 user unless the URIs refer to vetted DoH servers or match common DoH 253 URI patterns that preclude client-unique URIs. 255 7. IANA Considerations 257 This document, if approved, requests IANA to register the DoH- 258 Preference header in the "Permanent Message Header Field Names" 259 registry maintained at https://www.iana.org/assignments/message- 260 headers/ (https://www.iana.org/assignments/message-headers/). 262 +-------------------+----------+----------+------------+ 263 | Header Field Name | Protocol | Status | Reference | 264 +-------------------+----------+----------+------------+ 265 | DoH-Preference | http | standard | Section 2 | 266 +-------------------+----------+----------+------------+ 268 The change controller is: "IETF (iesg@ietf.org) - Internet 269 Engineering Task Force". 271 8. Normative References 273 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 274 Requirement Levels", BCP 14, RFC 2119, 275 DOI 10.17487/RFC2119, March 1997, 276 . 278 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 279 Specifications: ABNF", STD 68, RFC 5234, 280 DOI 10.17487/RFC5234, January 2008, 281 . 283 [RFC5890] Klensin, J., "Internationalized Domain Names for 284 Applications (IDNA): Definitions and Document Framework", 285 RFC 5890, DOI 10.17487/RFC5890, August 2010, 286 . 288 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 289 Protocol (HTTP/1.1): Message Syntax and Routing", 290 RFC 7230, DOI 10.17487/RFC7230, June 2014, 291 . 293 [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 294 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", 295 RFC 7234, DOI 10.17487/RFC7234, June 2014, 296 . 298 [RFC7405] Kyzivat, P., "Case-Sensitive String Support in ABNF", 299 RFC 7405, DOI 10.17487/RFC7405, December 2014, 300 . 302 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 303 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 304 May 2017, . 306 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 307 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 308 . 310 Acknowledgments 312 The authors would like to thank many members of the IETF community, 313 as this document is the fruit of many hallway conversations. 315 Authors' Addresses 317 David Schinazi 318 Google LLC 319 1600 Amphitheatre Parkway 320 Mountain View, California 94043, 321 United States of America 323 Email: dschinazi.ietf@gmail.com 325 Nick Sullivan 326 Cloudflare 328 Email: nick@cloudflare.com 329 Jesse Kipp 330 Cloudflare 332 Email: jkipp@cloudflare.com