Re: [DNSOP] extension of DoH to authoritative servers

Paul Vixie <> Tue, 12 February 2019 23:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 095FF126C15 for <>; Tue, 12 Feb 2019 15:32:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7DkGUGbtKVaa for <>; Tue, 12 Feb 2019 15:32:37 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5893F126C01 for <>; Tue, 12 Feb 2019 15:32:37 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384] (unknown [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 0A290892C6; Tue, 12 Feb 2019 23:32:37 +0000 (UTC)
To: David Conrad <>
Cc: dnsop <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Paul Vixie <>
Message-ID: <>
Date: Tue, 12 Feb 2019 15:32:37 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Feb 2019 23:32:39 -0000

David Conrad wrote on 2019-02-12 15:10:
> You missed my point.  The IETF declared NATs heretical and as a
> result, a zillion people did it in a zillion different ways, creating
> a huge mess.

i remember this. and i agree. had IAB said "this specification is
inadequate, let's get firewall traversal working before we publish",
rather than "it is heretical and must not be done", a lot of pain and
waste would have been avoided.

> ...  Lots of people are implementing sending/receiving DNS 
> queries/responses over HTTPS.

since i did it myself ( years
before DoH was thought of, i can scarcely disagree.

> DoH simply codifies one way of doing it so that network managers,
> software developers, etc., have a chance to develop management
> systems for it.

really? "simply"? i don't think it's that simple. here's the part of RFC 
8484 that i would have expected to cause a "discuss" event in IESG 
before allowing publication:

<<Two primary use cases were considered during this protocol's 
development.  These use cases are preventing on-path devices from 
interfering with DNS operations, ...>>

that's not a simple thing. IESG should have said, "that part is 
problematic, please make this protocol optional for the network 
operators and controllable their on-path devices."

by putting that text in and leaving it in, this becomes a political 
project not a technical one. IESG had the ability to say, please find a 
better way to solve this problem, that disenfranchises nobody.

as it happens, nothing stops a web browser or other such client from 
using DoT, and it's possible that the right answer was to say, DoT will 
answer every technical need that this RFC describes, but none of its 
political needs, and we don't want to be in the politics business.

to validate whether RFC 8484's goal is political, let's ponder whether 
the document would have been perfectly unhurt by the non-enumeration of 
this use case. i think yes. so, why mention it?

>> i'd like the same level of freedom when it comes to how DNS is
>> served.
> Then force the folks on your network to install a cert so you can
> filter out DoH.  Contrary to your assertion, I doubt netflow will let
> you discriminate between good and evil. You have to have visibility
> to do that.
i have embedded devices which don't let me install certs inside them, 
and i don't think i'm alone. the general name for what you're describing 
is "web application firewall" and it simply breaks anything that won't 
cooperate -- which is the policy i'm going to need, if any so-called 
"public DNS" server shares a DoH responder address with any other 
service i care about. this remains to be seen. the market will help decide.

i'm surprised and fascinated by your vision of what my security needs 
are -- even though you have misstated them here -- but you're wrong on 
the facts, and the economics. if you are willing to spend the serious 
effort it would take to fully engage with the lived experience of modern 
CISO's, then we should take that topic up 1x1.

P Vixie