Re: [Doh] [Ext] Are we missing an architecture? (was Re: DNS Camel thoughts: TC and message size)

Petr Špaček <> Wed, 13 June 2018 17:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CA0A4130F6D for <>; Wed, 13 Jun 2018 10:47:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.021
X-Spam-Status: No, score=-6.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8ecNKuvALbY6 for <>; Wed, 13 Jun 2018 10:47:43 -0700 (PDT)
Received: from ( [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DD852130F6C for <>; Wed, 13 Jun 2018 10:47:42 -0700 (PDT)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 986D6601B2 for <>; Wed, 13 Jun 2018 19:47:40 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1528912060; bh=xlWVUxSgWVAdaLnTEsZJtBNmFOLKkCJYuUkEtt2FCy0=; h=To:From:Date; b=bWrvTa6nT5kYr05/cAwrBcSgAPfGtqz5BtWKUpRR8mWLwZ9Xa8hwk74QBApPdNTaH MIotTBhyIZqSc1CI+FWtlAjQIys5hkcIkCOQK09rNA38KoAXIIF3qUEx5ZWZVH9yf0 IbxR1KO/O585CCWHcpnNUr3a4Gj1OIePlLRo70tk=
References: <> <> <> <> <> <> <> <> <>
From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= <>
Organization: CZ.NIC
Message-ID: <>
Date: Wed, 13 Jun 2018 19:47:40 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <>
Subject: Re: [Doh] [Ext] Are we missing an architecture? (was Re: DNS Camel thoughts: TC and message size)
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Jun 2018 17:47:46 -0000

On 13.6.2018 00:19, Paul Hoffman wrote:
> On Jun 12, 2018, at 2:46 PM, Ray Bellis <>; wrote:
>> I do think it would be helpful to consider in more detail where DOH is
>> expected to sit in the DNS architecture.
> This is the DNS: "is expected" almost always turns out to be wrong. (No smiley appended.)
> The same can be said for HTTP.
>> Is it going to be a new "first class" transport (sic) protocol, or is it
>> merely a tunneling protocol for carrying DNS messages whose sole purpose
>> is to provide interworking for those that cannot use the "normal"
>> transport protocols because either a) there's a stoopid middlebox in the
>> way, or b) they're a web client ?
> These are good questions, but if we try to base our protocol on what "is expected" and our expectations turn out to be wrong, we will probably design the protocol badly.

I think Ray was too shy to ask The Question:

Is the goal of the current doh WG

a) "standardize encodings for DNS queries and responses
that are suitable for use in HTTPS. This will enable the domain name 
system to function over certain paths where existing DNS methods (UDP, 
TLS [RFC 7857], and DTLS [RFC 8094]) experience problems." in an 
interoperable way, i.e. doing a thing the WG was chartered to do?


b) Invent DNS 2.0 and attempt to hide that the proposal goes beyond the 
original DNS protocol? We badly need DNS 2.0 so let's admit that, it is 
not a shame.

If the answer is b) then I will applaud and support doh doing DNS 2.0, 
we only need to stop pretending that current doh work is just a new 
transport for the original DNS.

My reading of the doh charter is that doh protocol is a transport which 
should help to get the existing DNS to endpoints. Changes beyond 
existing DNS semantics are work on DNS 2.0 and thus outside of current 
doh charter.

I strongly support work on DNS 2.0 but we must not pretend that it is 
still the original DNS with minor tweaks, and recharter doh to admit that.

Clean cut will make all discussions about "what happens if there is a 
dumb proxy" moot because it will be clear to everyone that "doh is going 
to be DNS 2.0".

Or even better, let's use a new name for the new protocol:
HTTP naming system (HNS)
and do not confuse everyone with references to the legacy DNS.

Can we get consensus call to answer what doh WG participants want to do?

a) just do new transport for the existing DNS
b) invent "HTTP naming system" without the burden of legacy DNS
(HNS == DNS 2.0)

Can we get clear answers to this question? Pretty please!

Petr Špaček  @  CZ.NIC