Re: [DNSOP] extension of DoH to authoritative servers

Jeremy Rand <> Tue, 12 February 2019 12:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E698112F18C for <>; Tue, 12 Feb 2019 04:50:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id X73GqeXZ19MD for <>; Tue, 12 Feb 2019 04:50:34 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D6BC812DF71 for <>; Tue, 12 Feb 2019 04:50:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1549975830; bh=PJN9A+eUjSRka/dZNvSOXAGH/N2g2c9BRJPnwrb3JGg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=TUUQlWDY7xQK0A/JlUS5pRFgW7tQzM11YihBtulTliaaV2B3xe1QgBAJG/UcOmVB1 SexeyAG2/nuwuUGqd+AA+eHhpA3y6lVp51wKkYntSS+P4yBgOEJ1CmJ+XFQgSSYJHP eGR3mwLFzF8zS+fwUHuRoGk3dke0jBpqm1gzS4VMFQG6O1YFpU308Rsj3kSKjRuk3B tj+YjR+Un5vacHHEaenVqCBAhxWQ8yNmZ3/8Pums3tx+pzrto2amGjbLnCTqshxQlN 33VsQEVBxIbCAMjm1jbuQN/eL2JDRiqfMxFaFV5TZrVLgmRqPTJVHKO0E6k4KLjFZJ e7SyYjOE2UbSQ==
To: Stephane Bortzmeyer <>, "" <>
Cc: dnsop <>
References: <> <>
From: Jeremy Rand <>
Message-ID: <>
Date: Tue, 12 Feb 2019 12:50:14 +0000
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="PEsRLBtx2o8qiVcO6JB71eramQWryRXlS"
Archived-At: <>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Feb 2019 12:50:37 -0000

Stephane Bortzmeyer:
> On Tue, Feb 12, 2019 at 03:56:04PM +0800,
> <> wrote 
>  a message of 546 lines which said:
>> I am considering extending the DoH protocal to authoritative
>> servers.
> Why DoH and not DoT? DoH is useful because 1) port 853 may be blocked
> at the edge of the network 2) applications running in a Web browser
> may need DNS data. But these two reasons do not apply to your use case
> 1) the resolver is often closer to the core and there is less risk
> that 853 is blocked 2) there is no Web browser on the resolver.

Hi Stephane,

Both of those assumptions are false when the user has installed a
recursive resolver on their home computer, as is the case when the user
has installed DNSSEC-Trigger.  They're also false when the user has
installed Namecoin, since Namecoin domain names often delegate to DNS
via NS+DS records.

(Of course, it could be argued that Namecoin users need to deal with
network censorship of Namecoin protocol traffic anyway, but I don't see
any reason to make the situation unnecessarily worse by avoiding DoH.)

-Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email:
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email is having technical issues at the