Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Paul Vixie <> Tue, 21 August 2018 19:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D4386130E78 for <>; Tue, 21 Aug 2018 12:23:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id u5XbYyegoCus for <>; Tue, 21 Aug 2018 12:23:33 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4A953130DF7 for <>; Tue, 21 Aug 2018 12:23:33 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:9061:ce0d:93bf:336d] (unknown [IPv6:2001:559:8000:c9:9061:ce0d:93bf:336d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 1DDF6892C6; Tue, 21 Aug 2018 19:23:33 +0000 (UTC)
Message-ID: <>
Date: Tue, 21 Aug 2018 12:23:30 -0700
From: Paul Vixie <>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Tom Pusateri <>
CC: Marek Vavruša <>, dnsop <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Aug 2018 19:23:35 -0000

Tom Pusateri wrote:
> The Chain Query Requests in DNS (RFC 7901) are awesome for the stub
> resolver. But the web/DoH server has more knowledge that the stub
> doesn’t have yet and so it can benefit from this knowledge in a way that
> the stub resolver can’t.

for this to matter, the user will either have to visit a very large 
number of completely unrelated destinations, or will have to visit the 
same site or site-cluster many times. i consider the former unlikely, 
and have therefore limited my thinking to the latter.

in the case where someone is visiting the same site or site-cluster many 
times, the cost of fetching the necessary crypto-chain materials will 
only be borne once, or at worst very infrequently, due to caching.

this means that the difference between having the crypto-chain pushed to 
you in advance by someone who can predict where you're about to go 
because they're also sending you content with those references, will be 
so rare as to be non-impacting.

in addition, DoH is not connected to web service in any necessary way. 
the DoH channel will be to a DoH provider such as CF. while there's a 
good chance in today's internet that you'll also be fetching content 
from CF, there are in fact other CDN's and many non-CDN content hosts. 
if you are talking to any content host other than CF, then the CF DoH 
service will have no knowledge of what to push toward you.

in further addition, even in the case where you have a persistent CF DoH 
connection open, it may not be easy for CF to share enough 
connection-state between its DoH and other-content servers so that the 
one will be able to push crypto-chain information to you in support of 
the other.

in short, i don't think DoH can usefully optimize by pushing.

P Vixie