I think the major benefit from this proposal is to make the upper layer(http layer) unaware the DNS data inside. So we do not need to consider the checksum-like mechanism , special authentication for DNS stub, and do keep truncation logic. I accept your idea that a new head filed Proxy-DNS-Transport may break that transparency.
-Davey 发件人: DNSOP [mailto:dnsop-boun...@ietf.org] 代表 Adrien de Croy 发送时间: 2016年5月3日 13:15 收件人: Davey Song; dnsop@ietf.org 主题: Re: [DNSOP] Fwd: New Version Notification for draft-song-dns-wireformat-http-03.txt Hi Davey Some general comments: I don't think you can claim that https provides data integrity or privacy any more, since MitM proxies are abundant. I think some thought should be given to how a DNS stub might deal with a captive portal or http proxy authentication. I think also that any HTTP server that receives such a request probably ought to be validating the encapsulated binary data before forwarding it to any DNS server. I wonder why you'd want to keep truncation, as the request should be able to benefit from the fact that fundamentally it's made over TCP to the HTTP agent. I would also suggest looking into how such requests might be best blocked by an http proxy, because this will be a requirement of proxy operators, and it would be good to consider user experience for when this happens, so that a consistent approach can be taken (rather than every different proxy blocking it some other way so that the user experience becomes awful). Cheers Adrien ------ Original Message ------ From: "Davey Song" <songlinj...@gmail.com> To: "dnsop@ietf.org" <dnsop@ietf.org> Sent: 27/04/2016 8:43:09 p.m. Subject: [DNSOP] Fwd: New Version Notification for draft-song-dns-wireformat-http-03.txt Hi Colleagues, We have update the dns-wireformat draft according to the advice we gained from last IETF meeting, changing the well-known URI from dns-over-http to dns-wireformat according to Paul Hoffman's suggestion. Any further comments ? I would like to ask for WG to adopt it this time. Best regards, Davey ---------- Forwarded message ---------- From: <internet-dra...@ietf.org> Date: 27 April 2016 at 16:03 Subject: New Version Notification for draft-song-dns-wireformat-http-03.txt To: "Paul A. Vixie" <vi...@tisf.net>, Shane Kerr <sh...@biigroup.cn>, Runxia Wan <rx...@biigroup.cn>, Linjian Song <songlinj...@gmail.com> A new version of I-D, draft-song-dns-wireformat-http-03.txt has been successfully submitted by Linjian Song and posted to the IETF repository. Name: draft-song-dns-wireformat-http Revision: 03 Title: DNS wire-format over HTTP Document date: 2016-04-27 Group: Individual Submission Pages: 10 URL: https://www.ietf.org/internet-drafts/draft-song-dns-wireformat-http-03.txt Status: https://datatracker.ietf.org/doc/draft-song-dns-wireformat-http/ Htmlized: https://tools.ietf.org/html/draft-song-dns-wireformat-http-03 Diff: https://www.ietf.org/rfcdiff?url2=draft-song-dns-wireformat-http-03 Abstract: This memo introduces a way to tunnel DNS data over HTTP. This may be useful in any situation where DNS is not working properly, such as when there is middlebox misbehavior. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/> . The IETF Secretariat
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
