Paul, At 2016-07-12 07:00:17 -0400 Paul Wouters <p...@nohats.ca> wrote:
> On Mon, 11 Jul 2016, Tim Wicinski wrote: > > > The draft is available here: > > https://datatracker.ietf.org/doc/draft-song-dns-wireformat-http/ > > > > Please review this draft to see if you think it is suitable for adoption by > > DNSOP, and comments to the list, clearly stating your view. > > I am very hesitant to accept any protocol-over-http wrapper, as it just > moves the problem around and generate a new set of middleware boxes that > mess with the data. > > I think RFC 7858 is fine for mistakenly broken networks. The only > advantage of this method is to work around administrative blocks. And > that's a rat-race with middle boxes. This is indeed the main use case of the draft - getting around administrative blocks. Widespread adoption would indeed result in a sort of arm's race with developers adding blocks, although the main advantage of DNS over HTTP is that HTTP is difficult to block in general, whereas DNS is easy to block in general. One can of course use RFC 7858 over port 443. My guess is that traffic analysis will quickly reveal this to be DNS traffic (although EDNS0 padding may combat this). The advantage of DNS over HTTP beyond this is that you can run DNS over HTTP on an HTTP server which is serving other HTTP content. (The DNS over HTTP draft mentions this, IIRC.) This makes DNS over HTTP indistinguishable from "normal" HTTP traffic, because it is running on the same server as "normal" HTTP traffic. > There is also a bootstrap issue. if you can use the local DNS to get to > the webserver for DNS-over-HTTP then the local DNS can prevent you from > resolving it. If you hardcode the IP they can blacklist known servers. > And they can transparent proxy your requests to prevent you from using > it anyway. So it's not even that good to work around administrative > blocks. There is indeed a bootstrap issue. In our code you can either use the IP directly or use another resolver (like the normal DHCP-supplied resolver) to lookup the IP of the HTTP over DNS server. Perhaps we should address this in the draft? The impact of blocking on this will vary depending on the scenario. Yes, China will surely maintain a blacklist, just like they do for VPN. Hopefully this will be mitigated a little bit by sharing the DNS over HTTP with web pages, but maybe not. It's still useful for people who are stuck behind less comprehensive blocks. > So I am not convinced of the use case compared to RFC 7858. That's fine. One thing that I have mentioned several times in the past is that the IETF has a culture of stopping things because people don't like proposals for various reasons. This is especially true in the DNS community, for some reason. I'm hoping even though you and Ray and surely others don't find this a useful technique, that the document can proceed anyway. You don't have to use it, and can discourage use by others. But maybe having an extra potential tool is okay. Cheers, -- Shane
pgpnSwQBChn7x.pgp
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
