draft-ietf-doh-dns-over-https-08.txt   draft-ietf-doh-dns-over-https-09.txt 
Network Working Group P. Hoffman Network Working Group P. Hoffman
Internet-Draft ICANN Internet-Draft ICANN
Intended status: Standards Track P. McManus Intended status: Standards Track P. McManus
Expires: November 17, 2018 Mozilla Expires: November 25, 2018 Mozilla
May 16, 2018 May 24, 2018
DNS Queries over HTTPS (DOH) DNS Queries over HTTPS (DOH)
draft-ietf-doh-dns-over-https-08 draft-ietf-doh-dns-over-https-09
Abstract Abstract
This document describes how to make DNS queries over HTTPS. This document describes how to make DNS queries over HTTPS.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 17, 2018. This Internet-Draft will expire on November 25, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 19 skipping to change at page 2, line 19
3. Protocol Requirements . . . . . . . . . . . . . . . . . . . . 3 3. Protocol Requirements . . . . . . . . . . . . . . . . . . . . 3
3.1. Non-requirements . . . . . . . . . . . . . . . . . . . . 4 3.1. Non-requirements . . . . . . . . . . . . . . . . . . . . 4
4. Selection of DNS API Server . . . . . . . . . . . . . . . . . 4 4. Selection of DNS API Server . . . . . . . . . . . . . . . . . 4
5. The HTTP Exchange . . . . . . . . . . . . . . . . . . . . . . 4 5. The HTTP Exchange . . . . . . . . . . . . . . . . . . . . . . 4
5.1. The HTTP Request . . . . . . . . . . . . . . . . . . . . 4 5.1. The HTTP Request . . . . . . . . . . . . . . . . . . . . 4
5.1.1. HTTP Request Examples . . . . . . . . . . . . . . . . 5 5.1.1. HTTP Request Examples . . . . . . . . . . . . . . . . 5
5.2. The HTTP Response . . . . . . . . . . . . . . . . . . . . 6 5.2. The HTTP Response . . . . . . . . . . . . . . . . . . . . 6
5.2.1. HTTP Response Example . . . . . . . . . . . . . . . . 7 5.2.1. HTTP Response Example . . . . . . . . . . . . . . . . 7
6. HTTP Integration . . . . . . . . . . . . . . . . . . . . . . 8 6. HTTP Integration . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Cache Interaction . . . . . . . . . . . . . . . . . . . . 8 6.1. Cache Interaction . . . . . . . . . . . . . . . . . . . . 8
6.2. HTTP/2 . . . . . . . . . . . . . . . . . . . . . . . . . 10 6.2. HTTP/2 . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.3. Server Push . . . . . . . . . . . . . . . . . . . . . . . 10 6.3. Server Push . . . . . . . . . . . . . . . . . . . . . . . 10
6.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 10 6.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 10
7. DNS Wire Format . . . . . . . . . . . . . . . . . . . . . . . 10 7. DNS Wire Format . . . . . . . . . . . . . . . . . . . . . . . 10
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
8.1. Registration of application/dns-message Media Type . . . 11 8.1. Registration of application/dns-message Media Type . . . 11
9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12
10. Operational Considerations . . . . . . . . . . . . . . . . . 14 10. Operational Considerations . . . . . . . . . . . . . . . . . 12
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
11.1. Normative References . . . . . . . . . . . . . . . . . . 15 11.1. Normative References . . . . . . . . . . . . . . . . . . 14
11.2. Informative References . . . . . . . . . . . . . . . . . 16 11.2. Informative References . . . . . . . . . . . . . . . . . 15
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 17 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 16
Previous Work on DNS over HTTP or in Other Formats . . . . . . . 18 Previous Work on DNS over HTTP or in Other Formats . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
This document defines a specific protocol for sending DNS [RFC1035] This document defines a specific protocol for sending DNS [RFC1035]
queries and getting DNS responses over HTTP [RFC7540] using https queries and getting DNS responses over HTTP [RFC7540] using https
URIs (and therefore TLS [RFC5246] security for integrity and URIs (and therefore TLS [RFC5246] security for integrity and
confidentiality). Each DNS query-response pair is mapped into a HTTP confidentiality). Each DNS query-response pair is mapped into a HTTP
exchange. exchange.
The described approach is more than a tunnel over HTTP. It The described approach is more than a tunnel over HTTP. It
skipping to change at page 4, line 19 skipping to change at page 4, line 19
o Supporting network-specific DNS64 [RFC6147] o Supporting network-specific DNS64 [RFC6147]
o Supporting other network-specific inferences from plaintext DNS o Supporting other network-specific inferences from plaintext DNS
queries queries
o Supporting insecure HTTP o Supporting insecure HTTP
4. Selection of DNS API Server 4. Selection of DNS API Server
Before using a DNS API server for DNS resolution, the client MUST A DNS API client uses configuration to select the URI, and thus the
establish that the HTTP request URI is a trusted service for the DOH DNS API server, used for resolution. A client MUST NOT use a DNS API
query, in other words, a DNS API client MUST only use a DNS API server simply because it was discovered, or because the client was
server that is configured as trustworthy. told to use the DNS API server by an untrusted party. [RFC2818]
defines how HTTPS verifies the server's identity.
A client MUST NOT use a DNS API server simply because it was
discovered, or because the client was told to use the DNS API server
by an untrusted party.
This specification does not extend DNS resolution privileges to URIs This specification does not extend DNS resolution privileges to URIs
that are not recognized by the DNS API client as trusted DNS API that are not recognized by the DNS API client as trusted DNS API
servers. As such, use of untrusted servers is out of scope of this servers. As such, use of untrusted servers is out of scope of this
document. document.
5. The HTTP Exchange 5. The HTTP Exchange
5.1. The HTTP Request 5.1. The HTTP Request
skipping to change at page 13, line 45 skipping to change at page 12, line 45
the security implications of HTTP caching for other protocols that the security implications of HTTP caching for other protocols that
use HTTP. use HTTP.
In the absence of DNSSEC information, a DNS API server can give a In the absence of DNSSEC information, a DNS API server can give a
client invalid data in response to a DNS query. A client MUST NOT client invalid data in response to a DNS query. A client MUST NOT
use arbitrary DNS API servers. Instead, a client MUST only use DNS use arbitrary DNS API servers. Instead, a client MUST only use DNS
API servers specified using mechanisms such as explicit API servers specified using mechanisms such as explicit
configuration. This does not guarantee protection against invalid configuration. This does not guarantee protection against invalid
data but reduces the risk. data but reduces the risk.
A client can use DNS over HTTPS as one of multiple mechanisms to
obtain DNS data. If a client of this protocol encounters an HTTP
error after sending a DNS query, and then falls back to a different
DNS retrieval mechanism, doing so can weaken the privacy and
authenticity expected by the user of the client.
10. Operational Considerations 10. Operational Considerations
Local policy considerations and similar factors mean different DNS Local policy considerations and similar factors mean different DNS
servers may provide different results to the same query: for instance servers may provide different results to the same query: for instance
in split DNS configurations [RFC6950]. It logically follows that the in split DNS configurations [RFC6950]. It logically follows that the
server which is queried can influence the end result. Therefore a server which is queried can influence the end result. Therefore a
client's choice of DNS server may affect the responses it gets to its client's choice of DNS server may affect the responses it gets to its
queries. For example, in the case of DNS64 [RFC6147], the choice queries. For example, in the case of DNS64 [RFC6147], the choice
could affect whether IPv6/IPv4 translation will work at all. could affect whether IPv6/IPv4 translation will work at all.
skipping to change at page 16, line 38 skipping to change at page 15, line 33
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
11.2. Informative References 11.2. Informative References
[CORS] "Cross-Origin Resource Sharing", n.d., [CORS] "Cross-Origin Resource Sharing", n.d.,
<https://fetch.spec.whatwg.org/#http-cors-protocol>. <https://fetch.spec.whatwg.org/#http-cors-protocol>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>. <https://www.rfc-editor.org/info/rfc5280>.
[RFC5861] Nottingham, M., "HTTP Cache-Control Extensions for Stale [RFC5861] Nottingham, M., "HTTP Cache-Control Extensions for Stale
Content", RFC 5861, DOI 10.17487/RFC5861, May 2010, Content", RFC 5861, DOI 10.17487/RFC5861, May 2010,
<https://www.rfc-editor.org/info/rfc5861>. <https://www.rfc-editor.org/info/rfc5861>.
 End of changes. 9 change blocks. 
28 lines changed or deleted 23 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/