Re: [dnsoverhttp] Fwd: New Version Notification for draft-hoffman-dns-over-https-00.txt

Martin Thomson <> Thu, 04 May 2017 03:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EE72C12945F for <>; Wed, 3 May 2017 20:52:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IyAOjY_c_Xkt for <>; Wed, 3 May 2017 20:52:38 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E6140129AF9 for <>; Wed, 3 May 2017 20:52:37 -0700 (PDT)
Received: by with SMTP id j1so986391lfh.2 for <>; Wed, 03 May 2017 20:52:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=K2x3mEJhsCY6MfBujlHlARBVa6c0y3wGmS2tnOG1eWA=; b=m9zJfSgvhSKr6U4sFOrAi0Tkrsmx8qUb127zntQV1dAneSKE4S6uJqudYTK0mmgx8C Wq0WyMgWTopZcK1rE3OboRr/Tqnc+GmE0ks3V13B3NpYSBoXGz7P225hWgR+ABSOTx+X 4rOYiIjAWlZ590APEHawhLIyy9oC7b6LbQjmLrklHITGkkzkwavvZYfzPAr+A4cgp+8B ac4Laa6N+y5l1Qw1MPBJT72c9VMbK2Z/9dWBIbc/ynViy4D606p1r+NRwNVtUfrRrR9v +5pjuc0MylQMCxbSbfdmsZN19nIhuoopCcI0/ubAyK19spWAAUXtXGlQCh/ip6rNjfDv l7Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=K2x3mEJhsCY6MfBujlHlARBVa6c0y3wGmS2tnOG1eWA=; b=lxlPU2aIBaBu6lb41ywWij7GpoXE2dgK1ooWQO5AqROulWrK/kY0THw2+u26GI8R0x Kpb5yrwdIoRxVESb0EqI52+n6juKpxD8YOvMpXAAX9SQt8wuE/HusZZvtAFyJPNOptjk Ap3DfqX5KPQD2cYkdaehmTsRPSvc7CedWsTGNWTbboVGGP9e+nvmYMztIyn3UtRM43ep EjedLCE1I/W3K7M5yR2H2gNi88/OjFjFv2BT6W1D3mVVlrjsOxC2/Gk5u5URDMK6lKeq JJLbUPU7RWAv4inK1ZOeDaN0mFQQ8UTbPHhlmzPej1ayv48lEEnl/N2VbWfvDfutUTMM EUCw==
X-Gm-Message-State: AN3rC/6QzcLgyifJ4yIKUGQzth2NSS43eLkrVXvVr1t6NbXonX8WQSF4 ZfbARHWjEvtU+yYQSDetEzikQZyZPw==
X-Received: by with SMTP id s124mr7513103lja.44.1493869955968; Wed, 03 May 2017 20:52:35 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 3 May 2017 20:52:35 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Martin Thomson <>
Date: Thu, 4 May 2017 13:52:35 +1000
Message-ID: <>
To: Patrick McManus <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Subject: Re: [dnsoverhttp] Fwd: New Version Notification for draft-hoffman-dns-over-https-00.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of DNS over HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 May 2017 03:52:40 -0000

On 4 May 2017 at 13:15, Patrick McManus <> wrote:
> A new version of I-D, draft-hoffman-dns-over-https-00.txt

A few nits only; I need to think more about how this fits into the
ecosystem.  I am warming to the notion that you have flexibility in
representation format, that's a key advantage of using HTTP.  You have
neatly punted on the hard parts of that by choosing the dumb option to
document, which means that you can bootstrap effectively.

The query string uses one of the worst encodings known to man.  Did
you do any analysis here?  Is base64url bad for some reason.  For
instance, I would believe that it increases the length of the string
in the aggregate if you told me.

You should use a parameter name for the query string so that you at
least have the chance to automatically discover a service and make
requests in other forms using the query string without sniffing or
other such horrors (conneg works fine for the POST variant, but you
are pushing those uses to a method that isn't a great fit).  What you
have consumes the entire usable space in the query string, so it would
be hard to get in edgewise with an alternative query form.

Do you really need to encode the ID?  I realize that might be
construed as opening the floodgates, but it is going to make caching
that much more fragmented.  Can you not just trim it off?

Section 7 seems a little repetitive.  I don't think that you have much
of a case on security grounds to require h2, but the last paragraph
seems quite convincing.