Re: [Doh] A question on the mix of DNS and HTTP semantics

Stephane Bortzmeyer <> Sun, 18 March 2018 16:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 86B0412946D for <>; Sun, 18 Mar 2018 09:43:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Elas9GX45b6e for <>; Sun, 18 Mar 2018 09:43:24 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 425FE128961 for <>; Sun, 18 Mar 2018 09:43:24 -0700 (PDT)
Received: by (Postfix, from userid 10) id E2173A05CF; Sun, 18 Mar 2018 17:43:22 +0100 (CET)
Received: by godin (Postfix, from userid 1000) id C86A1EC0B87; Sun, 18 Mar 2018 17:43:07 +0100 (CET)
Date: Sun, 18 Mar 2018 16:43:07 +0000
From: Stephane Bortzmeyer <>
To: Ted Hardie <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 16.04 (xenial)
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Subject: Re: [Doh] A question on the mix of DNS and HTTP semantics
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 18 Mar 2018 16:43:25 -0000

On Sat, Mar 17, 2018 at 10:42:08AM -0700,
 Ted Hardie <> wrote 
 a message of 182 lines which said:

> Similarly, it was not clear to me whether a response like 451 could
> contain a UDP wireformat body and, if so, what it would be.  If it
> contains no body, the DNS implementation might continue attempting
> to query for the information.  If it contains a REFUSED RCODE, in
> contrast, it would see a policy-based error.

That's an interesting example. If a DoH server replies 451, does it
mean that access to this DoH service is blocked, for policy reasons,
or that access to this specific DNS data is blocked, for policy
reasons? In other words, can a HTTP response from a DoH server depend
on the QNAME? (Or on the tuple {QCLASS, QTYPE, QNAME}?)

May be a way to address this issue would be to say "HTTP status code
depends only on the HTTP request and server, never (MUST NOT) on the
DNS question"?