[DNSOP] New draft for helping browsers use the DoH server associated with a resolver

Paul Hoffman <paul.hoffman@icann.org> Fri, 24 August 2018 00:01 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 4207B130DC6 for <dnsop@ietfa.amsl.com>; Thu, 23 Aug 2018 17:01:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id N_Cnih-lcJJM for <dnsop@ietfa.amsl.com>; Thu, 23 Aug 2018 17:01:36 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BB2B1277BB for <dnsop@ietf.org>; Thu, 23 Aug 2018 17:01:36 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org ( by PMBX112-W1-CA-1.pexch112.icann.org ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 23 Aug 2018 17:01:34 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1367.000; Thu, 23 Aug 2018 17:01:34 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: dnsop <dnsop@ietf.org>
Thread-Topic: New draft for helping browsers use the DoH server associated with a resolver
Thread-Index: AQHUOz2eFdvLdYVx8ky2u9E5+n3Qww==
Date: Fri, 24 Aug 2018 00:01:33 +0000
Message-ID: <3D4A9165-6EE8-4997-A9F7-DB19632C25F3@icann.org>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <F2CA7D522803064991F1923245F71379@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/f2iEou-LxULc-Wk-ttBArRJcGRM>
Subject: [DNSOP] New draft for helping browsers use the DoH server associated with a resolver
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Aug 2018 00:01:38 -0000

Greetings again. Some of the people in the recent thread about "dynamic discovery of secure resolvers" have expressed an interest in something that was mentioned at the DRIU BoF in Montréal: they want their browser to use a DoH server that is related to the DNS resolver that their OS is already using. I don't think DHCP can help with that problem (I could be wrong), but I do think that resolver operators should be able to tell browsers the DoH resolvers that they would want their customers to be using.

Please see the draft below. If folks like it, I can continue to work on it. Or, if you like the use case but have a better technical solution, that would be great too. I wanted to bring it to this list before taking it to the DOH WG because it really is an operational issue, not all that related to the DoH protocol.


--Paul Hoffman

A New Internet-Draft is available from the on-line Internet-Drafts directories. 

Title : Associating a DoH Server with a Resolver 
Author : Paul Hoffman 
Filename : draft-hoffman-resolver-associated-doh-00.txt 
Pages : 8 
Date : 2018-08-23 

Some clients will want to know if there are one or more DoH servers 
associated with the DNS recursive resolver that the client is already 
using. This document describes a protocol for a resolver to tell a 
client what its associated DoH servers are. 

The IETF datatracker status page for this draft is: 

There are also htmlized versions available at: 

Please note that it may take a couple of minutes from the time of submission 
until the htmlized version and diff are available at tools.ietf.org. 

Internet-Drafts are also available by anonymous FTP at: