DoH Preference Hints for HTTPGoogle LLC1600 Amphitheatre ParkwayMountain View, California 94043United States of Americadschinazi.ietf@gmail.comCloudflarenick@cloudflare.comCloudflarejkipp@cloudflare.com
Applications
Internet-DraftWhen using a publicly available DNS-over-HTTPS (DoH) server, some clients may
suffer poor performance when the authoritative DNS server is located far from
the DoH server. For example, a publicly available DoH server provided by a
Content Delivery Network (CDN) should be able to resolve names hosted by that
CDN with good performance but might take longer to resolve names provided by
other CDNs, or might provide suboptimal results if that CDN is using DNS-based
load balancing and returns different address records depending or where the DNS
query originated from. This document attempts to lessen these issues by allowing
the web server to indicate to the client which DoH server can best resolve its
addresses. This document defines an HTTP header field that enables web host
operators to inform user agents of the preferred DoH servers to use for
subsequent DNS lookups for the host’s domain.When using a publicly available DNS-over-HTTPS (DoH) server, some clients may
suffer poor performance when the authoritative DNS server is located far from
the DoH server. For example, a publicly available DoH server provided by a
Content Delivery Network (CDN) should be able to resolve names hosted by that
CDN with good performance but might take longer to resolve names provided by
other CDNs, or might provide suboptimal results if that CDN is using DNS-based
load balancing and returns different address records depending or where the DNS
query originated from. This document attempts to lessen these issues by allowing
the web server to indicate to the client which DoH server can best resolve its
addresses. This document defines an HTTP header field that enables web host
operators to inform user agents of the preferred DoH servers to use for
subsequent DNS lookups for the host’s domain.When a web server wishes its client to use a specific DoH server to resolve its
addresses, it can send the DoH-Preference header to indicate that preference to
the user agent. The header is not prescriptive, it only indicates the server’s
preference to the user. It also only applies to the web server’s current
hostname.The header defined in this document is not intended to be used as a discovery
mechanism for clients learning about the existence of new DoH servers. Instead,
it is intended to be used as an optimization technique for clients with support
for multiple DoH servers who wish to choose the most performant DNS server for
a given query.The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”,
“SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this
document are to be interpreted as described in BCP 14
when, and only when, they appear in all capitals, as shown here.This document uses the Augmented BNF defined in and updated by
along with the “#rule” extension defined in Section 7 of
. The rules below are defined in , , and
:An HTTPS origin can indicate its preference regarding DoH servers to the client
by adding an DoH-Preference header field to responses.The “doh-uri” component consists of the DoH URI Template as defined in
.Sending multiple DoH-Preference header fields indicates that the server prefers
multiple DoH servers. They are sent in decreasing order of preference.The REQUIRED “max-age” directive specifies the number of seconds, after the
reception of the DoH-Preference header field, during which the user agent
caches the server’s DoH preferences.The syntax of the max-age directive’s REQUIRED value (after quoted-string
unescaping, if necessary) is defined as:A max-age value of zero (i.e., “max-age=0”) signals the user agent to remove
the DoH URI template from its cache.The header below indicates that the user agent should consider querying DNS
results for the web server’s hostname using “dnsserver.example.net” for
approximately six months. (Lines are folded to fit.)Web servers MAY send a DoH-Preference header to indicate to clients that it
would prefer they use that DoH server when resolving addresses for the hostname
of the web server. Web servers MAY send multiple DoH-Preference headers. Web
servers MUST NOT send the DoH-Preference header in HTTP responses conveyed over
a non-secure transport.The choice of DoH server can affect overall performance and responsiveness as
perceived by the client. Some example considerations in choosing a preferred
DoH server are:A DoH host specified as a host name rather than an IP address will require
one or more additional DNS resolutions when the cached DNS entries for the
resolver or resolvers expire.Support for extension mechanisms (e.g. EDNS(0)) may be desired.Clients, particularly mobile device clients, may frequently move between
networks that have different network paths to the DoH server.If a client chooses to act on received DoH-Preference headers, it SHOULD cache
the server’s hostname and the corresponding DoH URI template and lifetime. It
SHOULD then send subsequent DNS requests for A and AAAA records for that host
name to the provided DoH server, until the cache entry expires after the time
specified in the “max-age” directive. Any received DoH-Preference header
replaces and overrides any and all information received in a previous
DoH-Preference header for the same host name and DoH URI template.Clients MAY decide to only respect the DoH-Preference header for a subset of
vetted DoH servers.Clients MUST NOT use the contents of the DoH-Preference header to impact how
it resolves other domain names. Clients MUST ignore the DoH-Preference header
in HTTP responses conveyed over a non-secure transport.If the DoH-Preference URI contains a host expressed as a host name rather than
as an IP address and that host name is resolved via DoH, the DoH server might
also specify a DoH-Preference header. This means that respecting the DoH server
recommendation could result in an excessively long chain of DoH queries or a
loop of DoH servers. Clients SHOULD be capable of detecting a loop or an
excessively long chain of DoH servers and treat these conditions as a query
failure.If resolution using the recommended DoH server fails, clients MUST fall back
and retry their query using another DNS resolution mechanism.An internationalized domain name that appears in the header field MUST be
expressed using A-labels; see Section 2.3.2.1 of .The DoH-Preference header allows a web server to impact how a user agent
resolves DNS A and AAAA records for its own host name. Since the web server
has proven ownership of the domain name via its TLS certificate and the DNS
result that led to the initial connection, impacting future DNS resolutions
to the same host name has limited security impact.The potential exists for the DoH-Preference header to be used as a form of web
tracking. Because a DoH URI is chosen by the server, cached by the client, and
then subsequently contacted by the client, a uniquely chosen DoH URI could
identify a client even after other client-side state has expired or been
removed. Clients SHOULD expire cached DoH URIs when other client state expires
unless the URIs refer to vetted DoH servers or match common DoH URI patterns
that preclude client-unique URIs.This document, if approved, requests IANA to register the DoH-Preference header
in the “Permanent Message Header Field Names” registry maintained at
https://www.iana.org/assignments/message-headers/.The change controller is: “IETF (iesg@ietf.org) – Internet Engineering Task
Force”.Key words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Augmented BNF for Syntax Specifications: ABNFInternet technical specifications often need to define a formal syntax. Over the years, a modified version of Backus-Naur Form (BNF), called Augmented BNF (ABNF), has been popular among many Internet specifications. The current specification documents ABNF. It balances compactness and simplicity with reasonable representational power. The differences between standard BNF and ABNF involve naming rules, repetition, alternatives, order-independence, and value ranges. This specification also supplies additional rule definitions and encoding for a core lexical analyzer of the type common to several Internet specifications. [STANDARDS-TRACK]Case-Sensitive String Support in ABNFThis document extends the base definition of ABNF (Augmented Backus-Naur Form) to include a way to specify US-ASCII string literals that are matched in a case-sensitive manner.Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and RoutingThe Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document provides an overview of HTTP architecture and its associated terminology, defines the "http" and "https" Uniform Resource Identifier (URI) schemes, defines the HTTP/1.1 message syntax and parsing requirements, and describes related security concerns for implementations.Hypertext Transfer Protocol (HTTP/1.1): CachingThe Hypertext Transfer Protocol (HTTP) is a stateless \%application- level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.DNS Queries over HTTPS (DoH)This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.Internationalized Domain Names for Applications (IDNA): Definitions and Document FrameworkThis document is one of a collection that, together, describe the protocol and usage context for a revision of Internationalized Domain Names for Applications (IDNA), superseding the earlier version. It describes the document collection and provides definitions and other material that are common to the set. [STANDARDS-TRACK]The authors would like to thank many members of the IETF community, as this
document is the fruit of many hallway conversations.