RFC 8484, "DNS Queries over HTTPS (DoH)", October 2018Source of RFC: doh (art)
Errata ID: 6033
Publication Format(s) : TEXT
Reported By: Mohamed Boucadair
Date Reported: 2020-03-30
Section 3 says:
A DoH client MUST NOT use a different URI simply because it was discovered outside of the client's configuration (such as through HTTP/2 server push) or because a server offers an unsolicited response that appears to be a valid answer to a DNS query.
It should say:
A DoH client MUST NOT use a different URI that was discovered outside of the client's configuration (except via HTTP redirection discussed in Section 6.4 of [RFC7231]). Also, the DoH client MUST ignore an unsolicited response (such as through HTTP/2 server push) that appears to be a valid answer to a DNS query unless that response comes from a configured URI (as described in Section 5.3).
(1) The intent of this text is confusing.
(2) I checked the mailing list and found that the text was updated late in the publication process to address this comment: https://mailarchive.ietf.org/arch/msg/doh/f_V-tBgB-KRsLZhttx9tGt75cps/.
(3) The example provided in the thread (server push) is related to the second part of the OLD text. It is mistakenly attached to the first part.
(4) The push example may be interpreted as if server push is disallowed. This is conflicting with Section 5.3.
Hence, this change:
Also, the DoH client MUST ignore an
unsolicited response (such as through HTTP/2 server push) that
appears to be a valid answer to a DNS query ** unless that response
comes from a configured URI (as described in Section 5.3) **.
(5) An intuitive way to discover the URI outside the configuration is redirection. RFC8484 indicates clearly the following:
The described approach is more than a tunnel over HTTP. It
establishes default media formatting types for requests and responses
but uses normal HTTP content negotiation mechanisms for selecting
alternatives that endpoints may prefer in anticipation of serving new
use cases. In addition to this media type negotiation, it ** aligns
itself with HTTP features ** such as caching, **redirection**, proxying,
authentication, and compression.
Forbidding discovery of URI outside the configuration contradicts the above excerpt. The text is as such incorrect.
(6) Also, I suggest to remove "simply" from the text. Not sure what message is supposed to convey.