Re: [Doh] [Ext] Servers offering responses for domaines they are not responsible for

Eliot Lear <> Mon, 06 November 2017 06:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3A2EE13FAFA for <>; Sun, 5 Nov 2017 22:27:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZtPLMfytN4Vy for <>; Sun, 5 Nov 2017 22:27:49 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7A5CA13FADC for <>; Sun, 5 Nov 2017 22:27:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=3035; q=dns/txt; s=iport; t=1509949669; x=1511159269; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=LB6S43yJ/DqxSUpzCMtFuUcVAwTTEefkl6h7TPiQIEI=; b=fm9z7ghNxa/KNeOP3ElmQ8IM+uDYitFGSw2aZ6qrpSOjVzwhynFECnYq 0coOlN/PogEaNXK3LmBcpMfBAFC+iNo8nOnTdotAXMl+Wa8Nt1dPSj1wa R3F2F1nJhz2WrC8vM2VyiCElWH9RzDWUL0FfT6Nt5OEl0nFPyVlE1E0ue A=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ByAQCtAABa/xbLJq1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBhBhuJ4N9ixOQIZZGghEHAxuFIAKFGBYBAQEBAQEBAQFrKIUfAQU?= =?us-ascii?q?jQhQQCxgqAgJXBg0IAQGKH6o5gieLBQEBAQEBAQEDAQEBAQEBARIPgy6FbIMBh?= =?us-ascii?q?HuDK4JiBaIOhEKCI4EBjRaCdIkEhzyWFoE5JgEwT4EdNCEIHRWDLQmCUxwZgU9?= =?us-ascii?q?ANoxiAQEB?=
X-IronPort-AV: E=Sophos;i="5.44,351,1505779200"; d="asc'?scan'208";a="35350"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Nov 2017 06:27:47 +0000
Received: from [] ([]) by (8.14.5/8.14.5) with ESMTP id vA66Rj1g012133; Mon, 6 Nov 2017 06:27:46 GMT
To: Martin Thomson <>
Cc: Paul Hoffman <>, "" <>, Mark Nottingham <>
References: <> <> <> <> <>
From: Eliot Lear <>
Message-ID: <>
Date: Mon, 6 Nov 2017 07:27:30 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="69iPqQJOjfseaEAKkCqjDhKvKT521wxQT"
Archived-At: <>
Subject: Re: [Doh] [Ext] Servers offering responses for domaines they are not responsible for
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 Nov 2017 06:27:51 -0000

Good evening(?) Martin,

On 11/6/17 6:18 AM, Martin Thomson wrote:
> Eliot, are you assuming that the DNS client will be looking at
> responses from origins other than the one it has configured as a DOH
> server?

No, although I have a good joke about that re certain all-encompassing
apps and 4-engine aircraft.  Find me next week ;-)

My presumption is simply that the common case will be that HTTP will be
used as a substrate for DNS queries, separate from any other subsystem,
at least initially.  I think this is Paul's view as well, if I
understand him correctly.

What I am getting at is that introducing a new operating model entails
certain operational aspects, most of which can be addressed.  But let's
not kid ourselves: in the case of global load balancers, if this
mechanism isn't going to disturb them, then at least for the moment, one
should expect to have an infrastructure similar to that used by Google
for, whereas Eliot's home system would be an exceedingly poor
choice for general use ;-)

Sorry for not sticking to examples- I am trying to convey
some notion of scope and scale.