Re: [Doh] [Ext] a tad confused on response sizes

Tony Finch <> Tue, 05 June 2018 17:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F3C98131117 for <>; Tue, 5 Jun 2018 10:14:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YihWumk5GUyT for <>; Tue, 5 Jun 2018 10:14:38 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A80B71277C8 for <>; Tue, 5 Jun 2018 10:14:38 -0700 (PDT)
X-Cam-AntiVirus: no malware found
Received: from ([]:38668) by ( []:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1fQFXY-0007uV-M2 (Exim 4.91) (return-path <>); Tue, 05 Jun 2018 18:14:36 +0100
Date: Tue, 5 Jun 2018 18:14:36 +0100
From: Tony Finch <>
To: Star Brilliant <>
cc: "" <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <> <> <>, <> <>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Archived-At: <>
Subject: Re: [Doh] [Ext] a tad confused on response sizes
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Jun 2018 17:14:40 -0000

Star Brilliant <>; wrote:
> Tony Finch <>; wrote:
> > Since https's permitted length is longer than a DNS message,
> > it is invalid for a DoH server to truncate.
> No, DoH server never truncates messages.
> It is the upstream server that truncates the message.

If a DoH server talks to an upstream resolver over a truncating transport,
the DoH server has to retry over a non-truncating transport.

> The fact is that there are TCP servers that do truncates messages.
> There are also servers that firewalls TCP by mistake so only UDP could pass.
> Some of them are even authoritative server that you have no other ways to bypass.

They are all broken and don't implement the protocol correctly.

> Yes, we know it is not RFC1035-compliant. But what can a DoH server do
> with this kind of malformed packet?
> 1) Ignore the TC bit and return the truncated answer to DoH client?
> 2) Take the TC bit and return the truncated answer to DoH client?
> 3) Return SERVFAIL and persuade users to give up your DoH service?

I think those are all reasonable. My DoH server just returns its
upstream's header verbatim. Its upstream resolver is responsible for
correct DNS semantics.

> You could do nothing but keep the TC bit. That is why DoH allows TC bit.

The point of this discussion is what the client is supposed to understand
by TC in a response. RFC 1035 implies that (over TCP) TC must not be set
by a server and must be ignored by a client. DoH should be the same.

f.anthony.n.finch  <>;
Biscay: Cyclonic 3 or 4. Slight. Thundery showers. Good, occasionally poor.