Re: Unable to Query DoH with `tls none` and Plain HTTP
On 2024-01-01 16:38, Ondřej Surý wrote: On 1. 1. 2024, at 15:19, r1wcp...@bbqporkmccity.com wrote: Thank you very much, I was unaware of the HTTP/2 requirement and was assuming it is a bug. Is there any reason for omitting the HTTP/1.1 upgrade part of the protocol? It would be additional complexity that's really not needed. The HTTP/2 library (libnghttp) doesn't provide HTTP/1.1 implementation, so we would have to bolt something own for a little gain. And it would increase an attack surface as it would be yet another protocol open to the world that can have bugs in it. Funny, given that HTTP/2 (the spec) had a CVE against it last October, while HTTP/0.9 and HTTP/1.x did not. Having the DoH server as a standalone process talking to DNS/TCP would be a solid implementation given the constant flow of changes made to HTTP(S) by the Big 5. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to Query DoH with `tls none` and Plain HTTP
On Tue, Jan 2, 2024 at 4:38 AM Jakob Bohm via bind-users wrote: > Having the DoH server as a standalone process talking to DNS/TCP would > be a solid implementation given the constant flow of changes made to > HTTP(S) by the Big 5. Perhaps, but for reference here is the relevant section of the DoH spec: https://datatracker.ietf.org/doc/html/rfc8484#section-5.2 HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use with DoH. The messages in classic UDP-based DNS [RFC1035] are inherently unordered and have low overhead. A competitive HTTP transport needs to support reordering, parallelism, priority, and header compression to achieve similar performance. Those features were introduced to HTTP in HTTP/2 [RFC7540]. Earlier versions of HTTP are capable of conveying the semantic requirements of DoH but may result in very poor performance. That ISC has chosen to follow the minimum HTTP version as recommended by the RFC is solid ground on which to be standing. -- tale -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to Query DoH with `tls none` and Plain HTTP
> On 2. 1. 2024, at 10:38, Jakob Bohm via bind-users > wrote: > > Funny, given that HTTP/2 (the spec) had a CVE against it last October, > while HTTP/0.9 and HTTP/1.x did not. I’ve said that a single modern HTTP/2 implementation (backed by maintained library) is much better than having two different implementations of HTTP protocol that need to cooperate on a single port. You came with vulnerability in the HTTP/2 specification. So, what’s your point? Or you were just trying to be “funny”? > Having the DoH server as a standalone process talking to DNS/TCP would > be a solid implementation given the constant flow of changes made to > HTTP(S) by the Big 5. Sure, but most people don’t want to integrate different programs to talk to each other and having an all-in-one solution works for most people. For the rest, there’s always something like dnsdist that can actually talk DoH on external side and Do53 on the internal side. From a maintainers perspective, I would love to have a minimal DNS implementation with as few features, because that’s easier to maintain. But we are not building BIND 9 for just our own needs, we are building it for the users regardless what I personally think about DoH/2, DoH/3 or DoQ and whatever the Big Tech comes next to shave a nanosecond from the latency and pushes onto the open source developers who are limited on resources and maintain software that has long history… Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
