Re: [Doh] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh

Daniel Stenberg <> Tue, 29 January 2019 15:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E4F20124B0C for <>; Tue, 29 Jan 2019 07:51:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SPyvyOxGbhIZ for <>; Tue, 29 Jan 2019 07:51:11 -0800 (PST)
Received: from ( [IPv6:2a00:1a28:1200:9::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AE9FA128BCC for <>; Tue, 29 Jan 2019 07:51:10 -0800 (PST)
Received: from (mail []) by (8.15.2/8.15.2/Debian-4) with ESMTPS id x0TFogWv016804 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 29 Jan 2019 16:50:42 +0100
Received: from localhost (dast@localhost) by (8.15.2/8.15.2/Submit) with ESMTP id x0TFof0H016760; Tue, 29 Jan 2019 16:50:41 +0100
X-Authentication-Warning: dast owned process doing -bs
Date: Tue, 29 Jan 2019 16:50:41 +0100 (CET)
From: Daniel Stenberg <>
To: Stephane Bortzmeyer <>
cc: Paul Hoffman <>, DoH WG <>
In-Reply-To: <>
Message-ID: <>
References: <> <>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
X-fromdanielhimself: yes
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <>
Subject: Re: [Doh] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Jan 2019 15:51:13 -0000

On Tue, 29 Jan 2019, Stephane Bortzmeyer wrote:

> I have a big concern about the idea of an application (for instance the Web 
> browser) having a specific DNS resolver (section 5 of draft -07), different 
> from the rest of the applications on the same machine.

*That* development has been going on since many years already, totally 
independent of secure DNS, partly due to the lack of proper standard 
asynch/non-blocking APIs. (I maintain one such library.)

A more positive way to look at such independent code is that it allows for 
better innovation and freedom for applications as they're not held back by 
(from their point of view) limited system implementations.

I don't think we, or anyone else, can stop that trend and I don't think we 
should try. I think we should be agnostic to where the implementations lie.