RFC Errata
Found 3 records.
Status: Reported (3)
RFC 8484, "DNS Queries over HTTPS (DoH)", October 2018
Source of RFC: doh (art)
Errata ID: 5603
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Carsten Bormann
Date Reported: 2019-01-15
Section 4.1 says:
The URI Template defined in this document is processed without any variables when the HTTP method is POST. When the HTTP method is GET, the single variable "dns" is defined as the content of the DNS request (as described in Section 6), encoded with base64url [RFC4648].
It should say:
The URI Template defined in this document is processed without any variables when the HTTP method is POST. When the HTTP method is GET, the single variable "dns" is defined as the content of the DNS request (as described in Section 6), encoded with base64url [RFC4648]. Padding characters for base64url MUST NOT be included.
Notes:
Note that Section 6 does say the same thing for a different usage of base64url, and note that the examples in 4.1.1 even explicitly state this, but the text that states the usual deviation from the default of RFC 4648 should be in the defining part as well. (This is almost, but not quite, an editorial erratum.)
Errata ID: 6033
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Mohamed Boucadair
Date Reported: 2020-03-30
Section 3 says:
A DoH client MUST NOT use a different URI simply because it was discovered outside of the client's configuration (such as through HTTP/2 server push) or because a server offers an unsolicited response that appears to be a valid answer to a DNS query.
It should say:
A DoH client MUST NOT use a different URI that was discovered outside of the client's configuration (except via HTTP redirection discussed in Section 6.4 of [RFC7231]). Also, the DoH client MUST ignore an unsolicited response (such as through HTTP/2 server push) that appears to be a valid answer to a DNS query unless that response comes from a configured URI (as described in Section 5.3).
Notes:
(1) The intent of this text is confusing.
(2) I checked the mailing list and found that the text was updated late in the publication process to address this comment: https://mailarchive.ietf.org/arch/msg/doh/f_V-tBgB-KRsLZhttx9tGt75cps/.
(3) The example provided in the thread (server push) is related to the second part of the OLD text. It is mistakenly attached to the first part.
(4) The push example may be interpreted as if server push is disallowed. This is conflicting with Section 5.3.
Hence, this change:
Also, the DoH client MUST ignore an
unsolicited response (such as through HTTP/2 server push) that
appears to be a valid answer to a DNS query ** unless that response
comes from a configured URI (as described in Section 5.3) **.
(5) An intuitive way to discover the URI outside the configuration is redirection. RFC8484 indicates clearly the following:
The described approach is more than a tunnel over HTTP. It
establishes default media formatting types for requests and responses
but uses normal HTTP content negotiation mechanisms for selecting
alternatives that endpoints may prefer in anticipation of serving new
use cases. In addition to this media type negotiation, it ** aligns
itself with HTTP features ** such as caching, **redirection**, proxying,
authentication, and compression.
Forbidding discovery of URI outside the configuration contradicts the above excerpt. The text is as such incorrect.
(6) Also, I suggest to remove "simply" from the text. Not sure what message is supposed to convey.
Errata ID: 6708
Status: Reported
Type: Editorial
Publication Format(s) : TEXT
Reported By: Martin Thomson
Date Reported: 2021-10-14
Section 10 says:
The use of Online Certificate Status Protocol (OCSP) [RFC6960] servers or Authority Information Access (AIA) for Certificate Revocation List (CRL) fetching (see Section 4.2.2.1 of [RFC5280]) are examples of how this deadlock can happen.
It should say:
The use of Online Certificate Status Protocol (OCSP) [RFC6960] servers, Certificate Revocation List (CRL) distribution points (see Section 4.2.1.13 of [RFC5280]), or Authority Information Access (AIA) to retrieve issuer certificates (see Section 4.2.2.1 of [RFC5280]) are examples of how this deadlock can happen.
Notes:
The OCSP part is fine, but the AIA piece is wrong.
For context, there are three different ways (to my knowledge) that a client might make outbound connections in order to validate or build a certification path.
1. CRL - clients fetch CRLs from the designated location. This rarely happens any more as it is grossly inefficient, but it does still happen in some usages.
2. OCSP - clients query OCSP for the status of a certificate.
3. AIA chasing - this is where the TLS handshake doesn't include the full set of certificates required to validate the end-entity certificate, but the certificate includes a URL for that certificate.
AIA itself is a multi-purpose field. It can include multiple elements, one of which is the identity of an OCSP responder (the same one used in (2) above) and the other being the one used in (3). It does not include CRL distribution points, as the text implies.