Updates to DoH +http and +https options for dig
Description
This is a request for updating DoH options in dig
by:
- Adding new options for specifying HTTP
:authority
pseudo-header and/orHost:
header - Adding shorter alternatives to the existing HTTP/2 options.
Request
1. New DoH Options
Add new +http-authority=value
option to control the HTTP/2 (or HTTP/3) :authority
pseudo-header within the DoH HTTP request, i.e.:
:method = GET
:scheme = https
:authority = dnsserver.example.net
Also add new +http-host=value
option to control the HTTP/1.1 or HTTP/2 or HTTP/3 Host:
header within the DoH HTTP request, i.e.:
:method = GET
:scheme = https
Host: dnsserver.example.net
These options are required for 2 use cases:
- Bootstrapping a DoH query to a
@server
IP address without relying on any additional DNS resolution of the@server
hostname. - Domain Fronting of DoH once issue #3896 implements SNI support in
dig
.
The expected future behaviour is:
-
@server
argument and-p
option control what server IP address and portdig
connects to. -
+tls-sni
option controls what SNI hostnamedig
requests inClientHello
during TLS handshake. -
+http-authority
and-p
options control whatdig
requests within the HTTP:authority
pseudo-header. -
+http-host
and-p
options control whatdig
requests within the HTTPHost:
header. -
+tls-hostname
option controlsdig
validation of certificate returned byServerHello
during TLS handshake.
HTTP :authority
pseudo-header or HTTP Host:
header should apply regardless of whether or not DoH connection is encapsulated in TLS.
Proposed logic is something along the lines of:
if request is DoH (either h2 or h2c)
if +http-authority option is specified
validate option input
HTTPauthority = option value
else if +http-host option is specified
validate option input
HTTPHost = option value
else if @server argument is a hostname
HTTPauthority = argument value
else if +tls-sni option is specified
HTTPauthority = option value
else if +tls-hostname option is specified
HTTPauthority = option value
else
HTTPauthority = server IP address
if +http-host option is specified
validate option input
HTTPHost = option value
if -p option is specified
if HTTPauthority is specified
if HTTPauthority doesn't include :port
HTTPauthority = HTTPauthority + ":" + port
if HTTPHost is specified
if HTTPHost doesn't include :port
HTTPHost = HTTPHost + ":" + port
if HTTPHost and HTTPauthority are specified
if HTTPHost differs from HTTPauthority
error
2. Shorter Alternatives
The DNSSEC option in dig
currently has a number of shorter alternatives:
+dnssec, +do, +nodnssec, +nodo
This request is to add similar shorter standard HTTP/2 h2
and h2c
protocol identifier option alternatives to all existing +http*
options in dig
.
The proposed changes are outlined in the table below:
Current | Proposed |
---|---|
+https[=value], +nohttps |
+https[=value], +h2[=value], +nohttps, +noh2 |
+https-get[=value], +nohttps-get |
+https-get[=value], +h2-get[=value], +nohttps-get, +noh2-get |
+https-post[=value], +nohttps-post |
+https-post[=value], +h2-post[=value], +nohttps-post, +noh2-post |
+http-plain[=value], +nohttp-plain |
+http-plain[=value], +h2c[=value], +nohttp-plain, +noh2c |
+http-plain-get[=value], +nohttp-plain-get |
+http-plain-get[=value], +h2c-get[=value], +nohttp-plain-get, +noh2c-get |
+http-plain-post[=value], +nohttp-plain-post |
+http-plain-post[=value], +h2c-post[=value], +nohttp-plain-post, +noh2c-post |
The use cases for this are:
- Reduction of some options length down to just 30% of the current.
- In the future ability to differentiate them from
+h3*
versions of these options when support for HTTP/3 DoH3 and DoQ is added (e.g. via nghttp3).
Links / references
For HTTP :authority
pseudo-header and Host:
header request see:
- Section 7.2 of RFC 9110: HTTP Semantics.
- Section 8.3.1 of RFC 9113: HTTP/2.
- Section 4.3.1 of RFC 9114: HTTP/3.
For standard definitions of h2
, h2c
, h3
, dot
and doq
protocol identifiers see: