dnsdist: Ponder support for ODoH target mode

[johnhtodd]

• Program: dnsdist
• Issue type: Feature request

Short description

Oblivious DOH is looking more like it will be implemented in various operating systems and browsers. The proxy is outside the scope of dnsdist, but target mode certainly seems like a reasonable thing to include in dnsdist's DOH stack if it is standardized.

Usecase

It would be useful for any dnsdist instance that is able to accept and process DOH requests to also be able to accept and process ODOH requests if a client (and thus proxy) is sending queries to that dnsdist instance.

Description

This feature request is for consideration of ODOH. Depending on complexity of implementation, more discussion may be required. The draft for ODOH is still incomplete as of this ticket's generation (2021/08/17) but the intervals between ideas existing and being implemented "at scale" unilaterally by large corporate organizations seems to be getting shorter and shorter these days, doesn't it?

See also: https://datatracker.ietf.org/doc/html/draft-pauly-dprive-oblivious-doh-06

[rgacogne]

I guess one of the first steps would be to find a good HPKE implementation that we could use, so either in C, C++, or with compatible bindings.

[appliedprivacy]

HPKE RFC 9180 has been recently published (Feb 2022).

This github repo lists a few implementations: https://github.com/cfrg/draft-irtf-cfrg-hpke#existing-hpke-implementations

We are happy to help with testing ODoH code in dnsdist in the future.

[rgacogne]

Interesting, thanks! Several entries on that list seem nice but have no release, and some are not even self-contained. It would be fun to try using zig-hpke from C++, as in theory it should work, and we have always been very happy with Frank's work :)

[appliedprivacy]

RFC9230 ODoH has been published: https://www.rfc-editor.org/info/rfc9230