Re: [dispatch] New proposed work: DNS over HTTPS

Stephen Farrell <> Sat, 17 June 2017 12:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5CDD7129485 for <>; Sat, 17 Jun 2017 05:33:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uNuO4IrLwEH6 for <>; Sat, 17 Jun 2017 05:33:35 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 497E912949A for <>; Sat, 17 Jun 2017 05:33:35 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 76298BE3E; Sat, 17 Jun 2017 13:33:33 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id U8zI34-Wn2Mw; Sat, 17 Jun 2017 13:33:31 +0100 (IST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 16F18BE39; Sat, 17 Jun 2017 13:33:31 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1497702811; bh=6BAXW0HEC24ck0L5as68pDqu+rX+XUERuyZP17iBEaU=; h=Subject:To:References:From:Date:In-Reply-To:From; b=viAAqt/+w7QTQp6Bz+xy7TLLTIXS02LBEkCKclMnizxF1Uco3c+xfUVs5lzqw80ts FPA703ieuTFlKwe210wZ5tasbQTDC4gPSG1/mROTvJ34C9xEmM/Ai0bZgyzC8WDWmt 3UKcyltxiI1PbUxe/fqTzhjGm5swpnPOXtKOe3os=
To: Paul Hoffman <>, "" <>
References: <>
From: Stephen Farrell <>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <>
Date: Sat, 17 Jun 2017 13:33:30 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="BTrd65sNVwcUIrOIeNevDdNlgkuxk4J4N"
Archived-At: <>
Subject: Re: [dispatch] New proposed work: DNS over HTTPS
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DISPATCH Working Group Mail List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 17 Jun 2017 12:33:38 -0000

FWIW I generally support this work.

Despite the last para of the security considerations section
(which may be partly in response to some off list comments I
made, and if so thanks:-), I think more effort needs to be
devoted to considering attacks that might use this. For example,
it may be that it'd be sensible to explore whether or not a browser
using this mechanism ought limit the DNS cache resulting to
the tab that is rendering content from that origin or something.
And yes, current browsers may be equally vulnerable to similar
attacks via WiFi APs, but there remain differences - e.g., folks
probably only regularly interact with a few APs, but with many
web sites and perhaps thousands of https-speaking hosts so there
is the potential for this to expand the horizon a lot, despite the
admonition in the referenced text. Especially when one considers
the risible state of so-called "consent" on the web.

So if such analysis is part of the planned work, then I'd be
happy to support progressing it. If not... not.


On 16/06/17 21:34, Paul Hoffman wrote:
> Greetings. We would like to propose that the work on DNS over HTTPS that is  currently embodied in the individual draft be dispatched at IETF 99.
> The work has been discussed for the last nine months on the IETF-sponsored mailing list at and was at the core of a bar bof in Seoul attended by around 80 people with a general consensus that standardization would benefit this space. I understand the draft should be resubmitted with the dispatch naming convention and will be very soon.
> This seems to us to be an Application protocol, but the httpbis WG generally does not take on how-to-use HTTP (that is, "foo over HTTP" work items), so dispatch's help in progressing the work would be appreciated. We emphasize that we seek work consistent with the goals of this previous work (and believe it to be a strong starting point), but the actual protocol specification is of course a matter of IETF consensus not pre-determined by that draft.
> As a bit of background, the Internet of course does not always provide good end-to-end reachability for DNS transport and this is especially true when using confidential and integrity transports for DNS. On-path network devices may spoof DNS responses, block DNS requests, track DNS activity, or just redirect DNS queries to different DNS servers that give less-than-honest answers.
> This work focuses on interacting with DNS servers, not just using encapsulation as a tunnel. Using secure HTTPS provides an alternative transport option and also provides a mechanism for obtaining and using DNS data in web browsers, both natively and in security contexts governed by the Same-Origin security policy.
> Another clear goal of the approach is to be a good fit for the HTTP protocol: good answers for caching, support for an ecosystem of different media types (such as both traditional DNS framing and more web-friendly things like JSON), and leverage of the multiplexing and prioritization schemes modern HTTP can provide.
> Use of HTTPS is very common, of course, and the ability to use an established connection to carry DNS information can provide both performance and confidentiality benefits over other approaches in circumstances when HTTPS is the prominent transport available. This proposal should not be considered exclusive or competitive with the valuable mechcanisms of the drive WG.
> Paul and Patrick
> _______________________________________________
> dispatch mailing list