| rfc9540v2.txt | rfc9540.txt | |||
|---|---|---|---|---|
| skipping to change at line 105 ¶ | skipping to change at line 105 ¶ | |||
| This document defines a way to use DNS resource records (RRs) to | This document defines a way to use DNS resource records (RRs) to | |||
| advertise that an HTTP service supports Oblivious HTTP. This | advertise that an HTTP service supports Oblivious HTTP. This | |||
| advertisement is a parameter that can be included in Service Binding | advertisement is a parameter that can be included in Service Binding | |||
| (SVCB) and HTTPS DNS RRs [SVCB] (Section 4). The presence of this | (SVCB) and HTTPS DNS RRs [SVCB] (Section 4). The presence of this | |||
| parameter indicates that a service can act as a target and has a | parameter indicates that a service can act as a target and has a | |||
| gateway that can provide access to the target. | gateway that can provide access to the target. | |||
| The client learns the URI to use for the gateway using a well-known | The client learns the URI to use for the gateway using a well-known | |||
| URI suffix [WELLKNOWN], "ohttp-gateway", which is accessed on the | URI suffix [WELLKNOWN], "ohttp-gateway", which is accessed on the | |||
| target (Section 5). This means that for deployments that support | target (Section 5). This means that for deployments that support | |||
| this kind of discovery, the gateway and Target Resources need to be | this kind of discovery, the Gateway and Target Resources need to be | |||
| located on the same host. | located on the same host. | |||
| This document also defines a way to fetch a gateway's key | This document also defines a way to fetch a gateway's key | |||
| configuration from the gateway (Section 6). | configuration from the gateway (Section 6). | |||
| This mechanism does not aid in the discovery of relays; relay | This mechanism does not aid in the discovery of relays; relay | |||
| configuration is out of scope for this document. Models in which | configuration is out of scope for this document. Models in which | |||
| this discovery mechanism is applicable are described in Section 3. | this discovery mechanism is applicable are described in Section 3. | |||
| 2. Conventions and Definitions | 2. Conventions and Definitions | |||
| skipping to change at line 233 ¶ | skipping to change at line 233 ¶ | |||
| configured resolver or querying using the name of a resolver [DDR]. | configured resolver or querying using the name of a resolver [DDR]. | |||
| For example, a DoH service advertised over DDR can be annotated as | For example, a DoH service advertised over DDR can be annotated as | |||
| supporting resolution via Oblivious HTTP using the following RR: | supporting resolution via Oblivious HTTP using the following RR: | |||
| _dns.resolver.arpa 7200 IN SVCB 1 doh.example.net ( | _dns.resolver.arpa 7200 IN SVCB 1 doh.example.net ( | |||
| alpn=h2 dohpath=/dns-query{?dns} ohttp ) | alpn=h2 dohpath=/dns-query{?dns} ohttp ) | |||
| Clients still need to perform verification of oblivious DoH servers | Clients still need to perform verification of oblivious DoH servers | |||
| -- specifically, the TLS certificate checks described in Section 4.2 | -- specifically, the TLS certificate checks described in Section 4.2 | |||
| of [DDR]. Since the gateway and Target Resources for discovered | of [DDR]. Since the Gateway and Target Resources for discovered | |||
| oblivious services need to be on the same host, this means that the | oblivious services need to be on the same host, this means that the | |||
| client needs to verify that the certificate presented by the gateway | client needs to verify that the certificate presented by the gateway | |||
| passes the required checks. These checks can be performed when | passes the required checks. These checks can be performed when | |||
| looking up the configuration on the gateway as described in Section 6 | looking up the configuration on the gateway as described in Section 6 | |||
| and can be done either directly or via the relay or another proxy to | and can be done either directly or via the relay or another proxy to | |||
| avoid exposing client IP addresses. | avoid exposing client IP addresses. | |||
| Opportunistic Discovery [DDR], where only the IP address is | Opportunistic Discovery [DDR], where only the IP address is | |||
| validated, SHOULD NOT be used in general with Oblivious HTTP, since | validated, SHOULD NOT be used in general with Oblivious HTTP, since | |||
| this mode primarily exists to support resolvers that use private or | this mode primarily exists to support resolvers that use private or | |||
| End of changes. 2 change blocks. | ||||
| 2 lines changed or deleted | 2 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||