Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)

Kenji Baheux <> Sun, 24 March 2019 05:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4D9C4130E13 for <>; Sat, 23 Mar 2019 22:43:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CI4gGZCA6wF0 for <>; Sat, 23 Mar 2019 22:43:45 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BC52812F18C for <>; Sat, 23 Mar 2019 22:43:44 -0700 (PDT)
Received: by with SMTP id f18so5094659lja.10 for <>; Sat, 23 Mar 2019 22:43:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5fvH3eiBvkNX6nDw96xjalP0eTH6gDlF7ndckPbu9IM=; b=hVUpoQGuyj6ZHritR5cRMQ5/mCsIyfOo+KDh9vrfL7lPmYOwOxDmbQXnIpez8I4bnZ ZBbuGXME6UpOmMl7tOwZL8KeQ6U4N3HLw5eg4bRC7Ioun1P1ORNNWZFD1ncSUAhSqiLX 3jbBk3YtE1uYULy7p1Of5+v2xGrYDDbAau/LGF43bhIS4sDbd+oDQuhG5ycWcD45AVO5 vgM1abBRcWb8316k4TAj0/+50wcKYoIy2OGytZ0AltbJWRLCvCHaEAftcB2JyZr6fNoG Xl949OTue1Ic7D4koqULPE84i4kFXgRHqK3feyRA+l1LEf88EmNkEeOV6UQR7TWSdd9O +Fkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5fvH3eiBvkNX6nDw96xjalP0eTH6gDlF7ndckPbu9IM=; b=ivYlzfQ6QNZe2/GJXXonwCtP/ku5RiK6m6Uahv34OSPeUvjrwjnyT9LnMvdWygi7+x myLtGKEyH5ODUbGaK3QtRb497SF0jbuNa7RZ0e6NlLtqErOedhiD8uoPJ6BbaOWBU6p+ zJECUi9TW1npSBVO/Z6rh/fj5omLzWjn3e63p1sbdsX9WXejAvSEOA3gWVyCk0zg+YDT rGLXcbbrh8k3KjKCZt4Si/iPmnAwRFBbVyofs/rD9ABszH2vRgloNIyklHzwIAr/PV5I XGMYj8d/Lna3dHSAfnbbFuxrod/kYfruFifVmoGMZSQJUl9fWqu0Z5qG0teVqj+OXPEF PFKA==
X-Gm-Message-State: APjAAAUR/Z/+m4den5ih+KIdagWj08Y5KST6hEiS0gL9Qwv+6+n6gN+V kHZhIJTOuetMFumgTa9fzwz1wKsCafVJn0ECieY2zNzX
X-Google-Smtp-Source: APXvYqzcbr2rsJvjsgrhQx4JWh2P5w5T4Q2TNJRCkxXfcHugtvSJevPRjBw1B4dxhVtu7eSVc/et8sYKcJ9S3Slvops=
X-Received: by 2002:a2e:8089:: with SMTP id i9mr9288388ljg.137.1553406222704; Sat, 23 Mar 2019 22:43:42 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Kenji Baheux <>
Date: Sun, 24 Mar 2019 14:43:29 +0900
Message-ID: <>
To: Wes Hardaker <>
Content-Type: multipart/alternative; boundary="0000000000001910800584d0927a"
Archived-At: <>
Subject: Re: [DNSOP] Concerns around deployment of DNS over HTTPS (DoH)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 24 Mar 2019 05:43:47 -0000

On Sat, Mar 23, 2019, 13:04 Wes Hardaker <> wrote:

> Kenji Baheux <> writes:
> >   * We are considering a first milestone where Chrome would do an
> automatic
> >     upgrade to DoH when a user’s existing resolver is capable of it.

> Sorry for the delayed question, but with respect to this bullet:

> 1) Do you have evidence that DOH is faster than DOT, since speed was one
> of your goals?

Speed isn't a primary goal, hence the use of "hopefully". Based on
Mozilla's early results [1], there is hope that the performance will be
improved at the high percentiles and remain neutral/acceptable otherwise.


> 2) What other reasons are you considering when doing DOH instead of DOT
> to protect privacy.

We are not considering DOT, just DOH.

I believe that there has been many discussions in the past that offered
reasons why a browser / ... would naturally prefer DoH over DoT.

I don't think I have anything to add that would sway the debate in way or
another. In fact, I think it's fair to say that the debate is unlikely to
come to an end anytime soon.

Instead, I imagine it would be more effective to focus on specific
scenarios: who are the actors, what do they want or accept/understand, is
the scenario reasonable to all parties involved, what can they do, etc.

Specifically, you're preferring DOH but your stated
> goals are "Stronger privacy and security." and "Hopefully, some
> performance wins.", without providing rational for each of the potential
> solutions.  DNS plain clearly doesn't meet the first, but likely does
> the second.  But you fail to provide a goal that distinguishes why you'd
> prefer DOT vs DOH to meet both these goals.
> --
> Wes Hardaker