Re: [Doh] WG Review: DNS Over HTTPS (doh)

Stephen Farrell <> Mon, 25 September 2017 23:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 368761345E5; Mon, 25 Sep 2017 16:16:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6FugaduXimVR; Mon, 25 Sep 2017 16:16:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 71B591344FF; Mon, 25 Sep 2017 16:16:31 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2F4E4BE24; Tue, 26 Sep 2017 00:16:29 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VbgHIESOjYcT; Tue, 26 Sep 2017 00:16:27 +0100 (IST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 4C570BDCC; Tue, 26 Sep 2017 00:16:27 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1506381387; bh=Zt+83i2vsGiwrnUixXew2TkeBBBleQrInjWQ86h+Bzg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=Ju6j0+0JoNXarTbBJrH9OxvKOBf8q5vhC7dg9zeggZJAwnFukXlrn6N5H3mO2oINW iXAilk1qFRrHoYEK7Jv8yfRLVZj3LjA331AsYi++4ZIjuFAgGYEUKLetCgzcwN6v8+ ItK4iYSgs4/SEdRKe140ykmD9WVEp4YzgBub9Bvw=
To: Adam Roach <>
Cc: Ted Hardie <>,, IETF <>
References: <> <> <> <>
From: Stephen Farrell <>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <>
Date: Tue, 26 Sep 2017 00:16:26 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="qWcEgPpHh3713OLr4I1O1M6NBQLEgw7Mu"
Archived-At: <>
Subject: Re: [Doh] WG Review: DNS Over HTTPS (doh)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Sep 2017 23:16:34 -0000

A nit, a question and a comment:

On 26/09/17 00:03, Ted Hardie wrote:
> Adam,
> Thanks for summarizing the discussion and its outcomes.  Looking at the
> revised charter, I noticed that it currently says "The use of HTTPS and its
> existing PKI provides integrity and confidentiality, and it also allows the
> transport to interoperate with common HTTPS infrastructure and policy."

Nit: Not sure if it's worth nothing, but the integrity service here
is different from DNSSEC, and clients need to be cognizant of that.
Probably obvious though.

> The choice not to specify a particular version means that there may be more
> than one transport.  You may wish to rephrase this or elide it to reflect
> the decision taken on that point.

This para:

While access to DNS-over-HTTPS servers from JavaScript running
in a typical web browser is not the primary use case for this
work, precluding the ability to do so would require additional
preventative design. The Working Group will not engage in such
preventative design.

... strikes me as weird, given that it didn't say what is the
"primary" use-case. I think that needs fixing or may cause
confusion later. The question is: did I miss where you said what
was the primary use-case?

The comment: I find this version no better than the last in
terms of saying that the WG needs to consider the scope within
which DNS answers are used. And that was my major issue with
the last iteration, so overall, this version doesn't seem that
much better to me. My suggestion is to add text along these

"The WG will analyse the security and privacy issues that could
arise from accessing DNS in this manner. For example it'd clearly
be bad if JavaScript from random web sites could poison the OS's
DNS cache (though hopefully no implementation would allow that).
The manner in which that analysis is documented will be decided
by the WG."


> regards,
> Ted
> On Mon, Sep 25, 2017 at 3:56 PM, Adam Roach <> wrote:
>> Thanks to everyone who commented on the proposed charter for
>> DNS-over-HTTPS. I have noted four main categories of discussion:
>>    1. Whether to rule specific versions of HTTP in or out of scope of the
>>    charter.  While the consensus here was rough, there were more proponents of
>>    leaving the version out than baking it in. I further observe that leaving
>>    version out of the charter does not preclude the WG from reaching consensus
>>    that requires or precludes certain versions from being used.
>>    2. Discovery of DNS-over-HTTPS servers. Again, consensus was rough,
>>    but I find slightly more people in favor of allowing discovery than those
>>    opposed to its inclusion. I will be adding language to the charter proposal
>>    that allows such work if those parties interested in specifying such
>>    mechanisms show up in the working group. If no such critical mass shows up,
>>    the WG will be allowed to close without performing such specification.
>>    3. Scope of work: whether DNS-over-HTTPS servers are accessed normal
>>    stub resolver libraries or via JavaScript. The proposed charter now
>>    contains text clarifying that the JavaScript use case is not the primary
>>    motivation, but that the WG will not take steps to preclude it.
>>    4. Regarding the question of whether to perform the work at all (or
>>    whether to perform the work now): the analysis for starting a working group
>>    generally hinges on whether a viable group of willing and capable
>>    participants exists to complete such work, without regard to those who wish
>>    the work not to take place. While exceptions to this generality may
>>    certainly exist, I find no reason the proposed working group is special in
>>    this dimension.
>> The revised version of the proposed charter can now be found at:
>> /a
>> _______________________________________________
>> Doh mailing list