Re: [Doh] [Ext] Associating a DoH server with a resolver

Paul Hoffman <> Thu, 25 October 2018 14:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 613B8130E5A for <>; Thu, 25 Oct 2018 07:57:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Fgm0OJ6buul9 for <>; Thu, 25 Oct 2018 07:57:12 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 13938130E69 for <>; Thu, 25 Oct 2018 07:57:12 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 25 Oct 2018 07:57:09 -0700
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1367.000; Thu, 25 Oct 2018 07:57:09 -0700
From: Paul Hoffman <>
To: Ben Schwartz <>
CC: DoH WG <>
Thread-Topic: [Ext] [Doh] Associating a DoH server with a resolver
Thread-Index: AQHUbHMAS2WH9fYpIkSbfmTvqNJTAg==
Date: Thu, 25 Oct 2018 14:57:09 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; boundary="Apple-Mail=_8E298BAB-67BC-4AF7-9504-795BFBBBA9C1"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Doh] [Ext] Associating a DoH server with a resolver
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Oct 2018 14:57:14 -0000

Sorry for the belated reply to this. Gotta love corporate mail systems...

On Oct 23, 2018, at 2:05 PM, Ben Schwartz <> wrote:
> Hi Paul, thanks for the continuing work on this topic.
> Two related questions:
> 1. Does the resolver have to return its own IP in the RR for, or can it return some other IP addresses?

The current wording is that the resolver returns its own IP address, which makes the resolver operator responsible for running the service that will respond to the well-known URI. There is no expectation that the URI templates returned from the well-known URI will all point to that same resolver; it would be find for the resolver operator to point to trusted third-party services.

> 2. If a client has some OS-specific way to enumerate the DNS server IPs for the default network interface, is it still required to perform "Step 1"?  (Most OSes do have some enumeration mechanism like this.)

Good point; I'll add this to the next draft and say "no". I'll also say "if the application can enumerate the OS's preferred DoH servers, there is no need to use the protocol here at all".

> Other minor comments:
> On Section 4, User Interface: I don't see the need for a user interface here.  In my view, opportunistic security generally shouldn't require user action and shouldn't produce a user-visible change.

Browser vendors might prefer that, privacy-concerned users might want a UI. I guess I'm targeting the latter.

> I think interaction with DoT is worth discussing here, even though it's probably trivial.  If I can probe for DoT and (with this draft) DoH, which one do I probe first, and which should I prefer if both succeed?

Yes, I'll add a stub for discussion of this.

--Paul Hoffman