Re: [Doh] Subsection Server Push: unclear wording

Ben Schwartz <> Fri, 11 May 2018 14:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 175D4127419 for <>; Fri, 11 May 2018 07:49:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -18.21
X-Spam-Status: No, score=-18.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id G582dMN3wxak for <>; Fri, 11 May 2018 07:49:11 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BB1361200C1 for <>; Fri, 11 May 2018 07:49:11 -0700 (PDT)
Received: by with SMTP id n202-v6so2340384ita.1 for <>; Fri, 11 May 2018 07:49:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6ShvWhHijB40CWQLl4m7mvMJkrz56/fOJW/50dEf2RQ=; b=Omtaq+C2M149BQuBSLnU19VAxZh+/G2iOTO6T0XWOBugIPNesIQjNDCmkjcE9JGgzM Vd0Xuj0czPepZ2C9Av6oQD8TzjRJVtf9miKPioiC1SK4MSXEMVyxQsfFBVdVVzrG89tW cNEGeDXecqXWh2fEpTaKR8oBhR0+TajbpuBncLUEB+yIhMTgSgLNUsPWtlld87M2zEGU PnHipjG9TmyMs9er3B2C6P/4fopCdSGfXFs3261gTIuMhXI5rFxUVu2vahwGiNMdih09 /WJReYg+xmFpKfc1wJwVuEGogKhnpbZJCl6LnNUU4MhESRL8CIGg0LBzRBLI+qQ/WBh5 5gqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6ShvWhHijB40CWQLl4m7mvMJkrz56/fOJW/50dEf2RQ=; b=i0Fg3dG+4+osyaEqqzjJ4BC/XhMzVHuDA4bkTsDE+q2jqRzb+RU23nB5e+Uzqj/A3S LGdE8AwK460NQeYm1GQe1kmFNZ71x9XkxcLiH8rUG1ctoD5ls/gW462INWeq5jxcxE4I 6YvJeOEIPNhUzItPKp7PRr5MSKc5+l5wODdTwNsnjZIUcXkvw2Sfr6VXYt2LfKaA8fIr uFcs3223Tix1aUr3/7iY3jwqXADq6V77jw08peAMPoClv6F56gYVRWHe3PaVKz+mxJ3v YCz7Y7nx25j6HrOY2ZQxdB48Dak2g0Yk/VThqGjlYBLxVHdMs/YqrRWFsLZQ9uB6g1VB GWvA==
X-Gm-Message-State: ALKqPweZA3+mByJpyEhUKXPsp+ERNhwfUnxHhs/xccqqGXdmAhSuBEI7 +KbftLjfJ3PYTGkS1IOAKuIdBXP0wG1L/NQJVYV3mQ==
X-Google-Smtp-Source: AB8JxZoesD81fZwahxHcAR/yP2Ez8H/VtrrX2mA8gB8s9dK6GxKCS9+3VMOPucQ9ngr2osFZd0FVOSokgNnaH2+e+/g=
X-Received: by 2002:a24:5091:: with SMTP id m139-v6mr3549713itb.50.1526050150584; Fri, 11 May 2018 07:49:10 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Ben Schwartz <>
Date: Fri, 11 May 2018 10:48:58 -0400
Message-ID: <>
To: =?UTF-8?Q?Mateusz_Jo=C5=84czyk?= <>
Cc: DoH WG <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="0000000000002da787056bef3d45"
Archived-At: <>
Subject: Re: [Doh] Subsection Server Push: unclear wording
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 May 2018 14:49:14 -0000

On Fri, May 11, 2018 at 8:18 AM Mateusz Jończyk <> wrote:

> Hello,
> The Server Push subsection now reads so:
>         Before using DOH response data for DNS resolution, the client MUST
>         establish that the HTTP request URI may be used for the DOH query.
> For
>         HTTP requests initiated by the DNS API client this is implicit in
> the
>         selection of URI. For HTTP server push ({{RFC7540}} Section 8.2)
> extra
>         care must be taken to ensure that the pushed URI is one that the
> client
>         would have directed the same query to if the client had initiated
> the
>         request.
> The first sentence is very misleading. The intention here was supposedly
> that
> the HTTP request URI is trusted by the client, not that it is working.
> This is
> clear by reading the commit that introduced the sentence:

Perhaps you are interpreting "may be used" to mean "is functional"?  Its
meaning here is "is permitted", i.e. permitted by the client
configuration.  I think that the following sentence makes this clear.

> Additionally, I do not understand it fully, but to me it seems that the
> situation described as "the pushed URI is one that the client would have
> directed the same query to if the client had initiated the request." would
> be
> very rare.
> Suppose that the client connects to, and tries to
> push a
> DNS resolution for It seems (as I get it) that the client could
> only
> use the DNS resolution of when is configured by the
> client
> as the chosen DNS API server. So, a pushed DNS resolution could only be
> used
> when contacting a HTTP server that at the same time is configured as a DNS
> API,
> which is exceedingly rare.
> Therefore, it would probably be better to specify that only a configured
> server may push DNS responses.
I think that is both the intent and the effect of this text.  The final
sentence operationalizes the notion of configuration in a way that reduces

> On the other hand, it may happen that the DNS API server pushes additional
> responses to a DNS query. For example, when the DNS client requests an AAAA
> record for and it happens to be an alias for
>, the DNS API server may push a DNS resolution for
> [1]
> Am I reading the text correctly here?
> Greetings,
> Mateusz Jończyk
> [1] I have to admit I do not know DNS well enough to know whether such
> server
> push could be beneficial and when.
> _______________________________________________
> Doh mailing list