Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Matthew Pounsett <> Wed, 20 March 2019 20:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DF2F61311C1 for <>; Wed, 20 Mar 2019 13:33:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 84PnkmgvOTQR for <>; Wed, 20 Mar 2019 13:33:29 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 355C7131213 for <>; Wed, 20 Mar 2019 13:33:29 -0700 (PDT)
Received: by with SMTP id w18so988463itj.4 for <>; Wed, 20 Mar 2019 13:33:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4vIfuXb8+/6apmytLwQgu3S5Vxd5Sh7NRO1JWyioBfk=; b=rpHJ3HdIAOkhJl8jGXm2fGxhptR+Lc41iolDPjgbRX7+BePqIZqfsje8VWUqYrm+eh l3wTNL5s0XsR2txf9GvT6/yeLRXriGlXO62K0O2EAEyiDGHMmrfqLRCmyjs5SoatA0Ml 4+5rg+MqztY+XYoPFjUJ9J5RrlSQaiYfxaXsumJjdolGmYoXPMFP71IX5cV2SvPSePVn mYO0kdTODRDGagNHymTZS/lW+mWJ81egrV+tsIEYMHwNPSus1HW8TB1wbfMWsrORoJvD F5L3KTzjV4NDD5TXOvoNBTPiH+C5ePrShgzG4YklbHhgx1lOfXxzIQKDsaR5vF20VTLY 7msg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4vIfuXb8+/6apmytLwQgu3S5Vxd5Sh7NRO1JWyioBfk=; b=F3ZByVZOK0nD8X6tNWbDlMjI8pbCzevi2tkV/Zw92Xdn3p5nLIE9BeKBm3Gbqx0yxV prKwG2JDuoRJ9PccClpyajlg3YUFreo9TaG3o9YFMDTPXSkK97c5xaL5bD3FRVshFRf6 Tb+4AQOX+FKWolWyRB9EmzzT/kSHmJ30GJ5Gi0Ti9j8QDWYp1Gbt+h7b0FVAeuFx1y1c Xil5Y0oCRh5CX+FQe3Px5T5/pE+9lErPYIZ8wGwJb08TI75DfXSz3p9vAEngH15/+la+ kELVVPzZ9z70q2Ra5KLoSTs/92mmQR3pdhBy1tEacKrP1GxK0SIks8cBUV/JPTM1aIH2 RFCQ==
X-Gm-Message-State: APjAAAVNN+grypjwFYAQVOV6Sr+9llopGZMAy9ZkPiKh0rqxio8CeYn4 S0CBil/KasyzEmqwsL7e40OHLhyB1sLyD+BvaQgNwA==
X-Google-Smtp-Source: APXvYqzgtEsAze//lP7/YTKlxWymX30DNh1m9cDEAjSuxqJm3P6szNGbcgFQ7kIksSi8OgsIOTxZIAs+jslc8XAnM7w=
X-Received: by 2002:a24:ba1a:: with SMTP id p26mr203317itf.150.1553114008201; Wed, 20 Mar 2019 13:33:28 -0700 (PDT)
MIME-Version: 1.0
References: <> <3457266.o2ixm6i3xM@linux-9daj> <> <1914607.BasjITR8KA@linux-9daj> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Matthew Pounsett <>
Date: Wed, 20 Mar 2019 16:33:17 -0400
Message-ID: <>
To: Joe Abley <>
Cc: Jared Mauch <>, Ted Hardie <>, DoH WG <>, Brian Dickson <>, dnsop <>, paul vixie <>, Michael Sinatra <>, Stephen Farrell <>
Content-Type: multipart/alternative; boundary="000000000000c16a3805848c8898"
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Mar 2019 20:33:36 -0000

On Wed, 20 Mar 2019 at 07:38, Joe Abley <> wrote:

> [There is actually a proposal at the bottom of this e-mail. Bear with me.]

And it's a good proposal!

> Standardise this privacy mechanism, and specify (with reasoning) that it
> should be implemented such that the existence of the channel (but not the
> content) can be identified as distinct from other traffic by third parties.
> Maybe specify use of a different port number, as was done with DoT.

I think this would alleviate most people's concerns... certainly it deals
wth mine.  I have difficulty believing it is acceptable to pro-DoH
community though, considering the first of the two use-cases defined in the
Introduction of RFC8484: "... preventing on-path devices from interfering
with DNS operations..."

I eagerly welcome the -bis document that removes this statement, and
defines a new port number which DoH traffic SHOULD use.

Those who choose to ignore that direction and create a covert channel using
> port 443 instead will do so. Nothing much we can do to stop that today (I
> guarantee it is already happening). The future is not really different.

Indeed.  If everyone above-board is using port 5443 (to pull a number out
of the air) for their DoH traffic, the below-board usage should be about as
visible as any such usage is today.

Of course when people shift the focus of the conversation from DoH in
> general to resolverless DNS, and want to interleave DNS messages with HTML
> and cat GIFs over the same HTTPS bundles, the pitchforks will need to come
> out again. So keep them handy.

I don't actually own a pitchfork, but I'll keep my Woodsman's Pal sharp. :)