DNSCrypt / dnscrypt-website

DNSCrypt website
https://dnscrypt.info
MIT License
61 stars 18 forks source link

DNS stamps specification: optional user:password #31

Open ameshkov opened 1 year ago

ameshkov commented 1 year ago

Why? With DoH it is possible to use HTTP basic authentication on top of

DNS stamps follow the URL format so they kind of already support passing basic authentication using the standard approach: sdns://user:password@stamp

We're planning to implement support for this in AdGuard products in the future and I wanted to ask what do you think about it? Would you like to add support for it to dnscrypt-proxy?

jedisct1 commented 1 year ago

Sure, why not!

The format also allows specifying both a server and its relay, with sans://<relay>/<server>. I don't remember if dnscrypt-proxy handles this yet, but the parsing part was already done to prepare for it.

So, for ODoH and DOoH, what would user:password@ apply to? The server or the relay?

ameshkov commented 1 year ago

I think semantically it would be correct to apply it to the relay.

Also, I actually think that in the case of ODoH etc. it would be more flexible to put the server data in a query parameter and not in the path as otherwise it does not allow extending the spec further: sdns://<relay>/?server=<server>.

Here's how I see the semantics of sdns://<stamp>/<path_and_query>:

What do you think about it? Or maybe this ship has already sailed and <relay>/<server> is commonly used?