Re: [Doh] [Ext] Re: Associating a DoH server with a resolver

Martin Thomson <> Wed, 24 October 2018 01:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9B4E1128CE4 for <>; Tue, 23 Oct 2018 18:22:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FXH7M1L7qBhw for <>; Tue, 23 Oct 2018 18:22:23 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CAA12128CB7 for <>; Tue, 23 Oct 2018 18:22:22 -0700 (PDT)
Received: by with SMTP id 20-v6so2753915oip.1 for <>; Tue, 23 Oct 2018 18:22:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=0nUsPyRqv5246YyKIQTNeUgrHYwuSIsFMctgEU0tTzU=; b=i1LrbormNCnEWQW6ES4n5THh3OzIhsdVCZg/C5Mm2T2aUfTw0cNU97G5VnKS5DtdIP pS34nr0MRkuj+/VldCMQ7tvPWqzneEThMw1o1iboouRU6VOkA4NvFdN1j6jlOFqn5Wvw ntyrHMVqxwe70by5HlJu8F+vKL7wAFx4clCzLHSdrbV91Bq0UOFWmzAaiVvNbRaGw96P ALcgUlizDNjlR9TxAlfN8AahzaoE6fy6j4sxCA2iDOn7NAWoWoWRK3m5P1UNRQf4UwJm a619znrwFZDOHZh+Fm6xPD1H9nrB7uhfixvgLmAYbudHtN6n5AHPW4WFJNyw8QFfIppf bGfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=0nUsPyRqv5246YyKIQTNeUgrHYwuSIsFMctgEU0tTzU=; b=AB+QABkM/X51FxkcVSN3ShJ35jnETzg+thkocriavcygtQ5+W8W+p5HSkbG+vU40ST 55iAq2nXUpp1ncsZ4fBozXPahWhrNlpK6QCdcwVeFAvhW/7WchPvGuT43361NPI+0yRj AiYFGrUFKIywGJnUlcwfv8FCgW9WSP/057jAc7tVlzIVSVYDdgq3TOXz5aDfvImIFYby ZDqZ1MqkTnM0cuAQYKiyxkLlAHtYVqqnXmVR6UugX03/jZ5q3zzMr1YA0kLNUUtvHTuZ o5Jf/knjuo8il2F9/5D1u4QKytLNXlXA7SQ3EqrvwcHBpMA76ULwQeHx0LHM5L6m2kdM K1DA==
X-Gm-Message-State: AGRZ1gKljcNfXTQZsrL1eEqjgiJ3kjQ3kpN7L0PpQ9DeEx8AmrdUCEDx rFT9j8PFf/Q/aBI6mS1VZ4x+7CZbktMRWPiaQZnT1UYdIkE=
X-Google-Smtp-Source: AJdET5cy5MmHd+dWM5keB+zTYXUiug20OFrYZTgakBWs1xHL8TJsiyYs+hWT0J4HyFcDIecZRPWxqE4gRpBthfAQnFs=
X-Received: by 2002:aca:5452:: with SMTP id i79-v6mr321011oib.344.1540344142066; Tue, 23 Oct 2018 18:22:22 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Martin Thomson <>
Date: Wed, 24 Oct 2018 12:22:13 +1100
Message-ID: <>
To: Paul Hoffman <>
Cc: DoH WG <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Doh] [Ext] Re: Associating a DoH server with a resolver
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Oct 2018 01:22:25 -0000

On Wed, Oct 24, 2018 at 12:12 PM Paul Hoffman <> wrote:
> There is no way for an application like a browser to send a query through the OS for anything other than address records. That is, gethostbyname() and its equivalents only pass back address records. Even if an application had its own DNS stack to make queries for other RRtypes, it doesn't have any way to know where to send them to.

Well, might still be useful for
that then.  That's not ideal, but I believe that there are ways to
make queries for other record types that are more available now than
perhaps there were in the past (see
for example).

>> IP-based certificates [...] impossible to deploy in many cases (think of the many resolvers with 1918 addresses, for example).
> They don't make it "impossible" by a long shot. Plenty of resolvers, even corporate resolvers, have public addresses.

True, it is probably still possible, but it's not like you can just
use ACME to get the certificate.  That's "possible" in theory, but I'm
looking for practicable.