Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator

Matthew Pounsett <> Wed, 20 March 2019 20:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EF07313122F for <>; Wed, 20 Mar 2019 13:33:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pROCAB9iTSP5 for <>; Wed, 20 Mar 2019 13:33:30 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3549C1311AA for <>; Wed, 20 Mar 2019 13:33:29 -0700 (PDT)
Received: by with SMTP id w15so996300itc.0 for <>; Wed, 20 Mar 2019 13:33:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4vIfuXb8+/6apmytLwQgu3S5Vxd5Sh7NRO1JWyioBfk=; b=rpHJ3HdIAOkhJl8jGXm2fGxhptR+Lc41iolDPjgbRX7+BePqIZqfsje8VWUqYrm+eh l3wTNL5s0XsR2txf9GvT6/yeLRXriGlXO62K0O2EAEyiDGHMmrfqLRCmyjs5SoatA0Ml 4+5rg+MqztY+XYoPFjUJ9J5RrlSQaiYfxaXsumJjdolGmYoXPMFP71IX5cV2SvPSePVn mYO0kdTODRDGagNHymTZS/lW+mWJ81egrV+tsIEYMHwNPSus1HW8TB1wbfMWsrORoJvD F5L3KTzjV4NDD5TXOvoNBTPiH+C5ePrShgzG4YklbHhgx1lOfXxzIQKDsaR5vF20VTLY 7msg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4vIfuXb8+/6apmytLwQgu3S5Vxd5Sh7NRO1JWyioBfk=; b=Db2mnzrBA0CBZmcj/7jb/OSbFHqy/e5DlEmVACiH+VQ6dSwq5QInrjW3oOFo1jbpCK trVzl9HcB8k8QFTUlUR35l4AVHMThENkuNkTJPoJIu/AcY4jtKFUSd+oo2vzOocM4ery 8wwK3QyvmFgda6uNdudHS2rs6cHBtCC/I+IvB1x4QpRXFct9g/z6uDrzSiz9Uty8I+46 igDmE5/8fe8oLpmUrBo5wohul6t5hm0HYO43BIrqv+jrJsCIDjTR5maFTvcLDQPvZIEE /srQcKqtTUYPbAt4/hqqVo1fREtZCCVPIxJ5WqWCL9kVv/jlPn/NgHLvnyV+aMUvmOQu 6hlQ==
X-Gm-Message-State: APjAAAVs4yeJC2Ej2e5LXdB7ck5y73xZf0xXlYDFxKPn+AGQCH/v7YrD zR8BObDFRBeD2dc2lYnPrYn/612lvyKphSDFPRVYLQ==
X-Google-Smtp-Source: APXvYqzgtEsAze//lP7/YTKlxWymX30DNh1m9cDEAjSuxqJm3P6szNGbcgFQ7kIksSi8OgsIOTxZIAs+jslc8XAnM7w=
X-Received: by 2002:a24:ba1a:: with SMTP id p26mr203317itf.150.1553114008201; Wed, 20 Mar 2019 13:33:28 -0700 (PDT)
MIME-Version: 1.0
References: <> <3457266.o2ixm6i3xM@linux-9daj> <> <1914607.BasjITR8KA@linux-9daj> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Matthew Pounsett <>
Date: Wed, 20 Mar 2019 16:33:17 -0400
Message-ID: <>
To: Joe Abley <>
Cc: Jared Mauch <>, Ted Hardie <>, DoH WG <>, Brian Dickson <>, dnsop <>, paul vixie <>, Michael Sinatra <>, Stephen Farrell <>
Content-Type: multipart/alternative; boundary="000000000000c16a3805848c8898"
Archived-At: <>
Subject: Re: [DNSOP] [Doh] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Mar 2019 20:33:37 -0000

On Wed, 20 Mar 2019 at 07:38, Joe Abley <> wrote:

> [There is actually a proposal at the bottom of this e-mail. Bear with me.]

And it's a good proposal!

> Standardise this privacy mechanism, and specify (with reasoning) that it
> should be implemented such that the existence of the channel (but not the
> content) can be identified as distinct from other traffic by third parties.
> Maybe specify use of a different port number, as was done with DoT.

I think this would alleviate most people's concerns... certainly it deals
wth mine.  I have difficulty believing it is acceptable to pro-DoH
community though, considering the first of the two use-cases defined in the
Introduction of RFC8484: "... preventing on-path devices from interfering
with DNS operations..."

I eagerly welcome the -bis document that removes this statement, and
defines a new port number which DoH traffic SHOULD use.

Those who choose to ignore that direction and create a covert channel using
> port 443 instead will do so. Nothing much we can do to stop that today (I
> guarantee it is already happening). The future is not really different.

Indeed.  If everyone above-board is using port 5443 (to pull a number out
of the air) for their DoH traffic, the below-board usage should be about as
visible as any such usage is today.

Of course when people shift the focus of the conversation from DoH in
> general to resolverless DNS, and want to interleave DNS messages with HTML
> and cat GIFs over the same HTTPS bundles, the pitchforks will need to come
> out again. So keep them handy.

I don't actually own a pitchfork, but I'll keep my Woodsman's Pal sharp. :)