Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Tony Finch <> Mon, 20 August 2018 16:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3F817130FCF for <>; Mon, 20 Aug 2018 09:42:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7qd2Wz2PKNoe for <>; Mon, 20 Aug 2018 09:42:12 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6686C130F99 for <>; Mon, 20 Aug 2018 09:42:12 -0700 (PDT)
X-Cam-AntiVirus: no malware found
Received: from ([]:51664) by ( []:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1frnFq-0007XO-eH (Exim 4.91) (return-path <>); Mon, 20 Aug 2018 17:42:10 +0100
Date: Mon, 20 Aug 2018 17:42:10 +0100
From: Tony Finch <>
To: Marek Vavruša <>
cc: dnsop <>
In-Reply-To: <>
Message-ID: <>
References: <>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="1870870841-1705817094-1534783330=:3596"
Archived-At: <>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Aug 2018 16:42:23 -0000

Marek Vavruša <> wrote:

This is interesting to me because I want to support DoTH on my campus

Regarding DoT, it seems to me that a super simple way for the client to
be able to authenticate the server would be to include the server's IP
address(es) in the subjectAltName field. This wouldn't require a DHCP
extension, and nicely supports opportunistic updgrade. I'm afraid I wasn't
paying attention when RFC 8310 was being prepared so I don't know why it
excludes iPAddress authentication.

Regarding DoH, the DHCP option ought to include a URI template (there
isn't a .well-known for DoH). I plan to set up my servers so that
misdirected attempts to get web pages from the DoH server are redirected
to the relevant documentation; that's much easier if the DoH endpoint
isn't at the server root.

A URI template usually implies the need for DNS queries to resolve the
server name (unless it's an address literal). Would it be plausible to
allow the client to assume that the DoH server IP addresses are the same
as the DNS server addresses, so it can skip the lookup? I guess that would
be too annoying for operators that want their DoH servers to be separate
from their normal DNS resolvers, so maybe it's a bad idea :-)


(PS. DoTH is clearly what happens if someone suggests "DoNT" but we do it anyway.)

f.anthony.n.finch  <>
fight poverty, oppression, hunger, ignorance, disease, and aggression