Re: [Doh] [Ext] Are we missing an architecture? (was Re: DNS Camel thoughts: TC and message size)

Mukund Sivaraman <> Wed, 13 June 2018 19:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5697612426A for <>; Wed, 13 Jun 2018 12:20:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hmGoiK0WN3a9 for <>; Wed, 13 Jun 2018 12:20:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E737F130E8A for <>; Wed, 13 Jun 2018 12:20:41 -0700 (PDT)
Received: from jurassic (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 5E54532C0972; Wed, 13 Jun 2018 19:20:36 +0000 (UTC)
Date: Thu, 14 Jun 2018 00:50:30 +0530
From: Mukund Sivaraman <>
To: Ben Schwartz <>
Cc:, DoH WG <>
Message-ID: <20180613192030.GA2792@jurassic>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.9.2 (2017-12-15)
Archived-At: <>
Subject: Re: [Doh] [Ext] Are we missing an architecture? (was Re: DNS Camel thoughts: TC and message size)
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Jun 2018 19:20:45 -0000

On Wed, Jun 13, 2018 at 02:16:11PM -0400, Ben Schwartz wrote:
> > I think Ray was too shy to ask The Question:
> >
> > Is the goal of the current doh WG
> >
> > a) "standardize encodings for DNS queries and responses
> > that are suitable for use in HTTPS. This will enable the domain name
> > system to function over certain paths where existing DNS methods (UDP,
> > TLS [RFC 7857], and DTLS [RFC 8094]) experience problems." in an
> > interoperable way, i.e. doing a thing the WG was chartered to do?
> >
> > OR
> >
> > b) Invent DNS 2.0 and attempt to hide that the proposal goes beyond the
> > original DNS protocol? We badly need DNS 2.0 so let's admit that, it is
> > not a shame.
> >
> I appreciate your concern but please try to avoid accusing members of the
> working group of trying to hide anything.

It's a valid question that has been asked. Many of us are concerned
about things are being said and it's best to discuss them freely without
taking offense.

This is from Tale's post:

> There are already indications from people who want to leverage it to
> provide DNS response delivery without involving the traditional
> resolution path.  Some of them stated quite clearly at the first DoH
> BoF that they really weren't even interested in working on it if it
> was just going to be merely a tunneling protocol.
> It isn't clear to me how you could meaningfully restrict it from being
> a "'first class' transport".  Fiat declaration sure wouldn't do it.

This may well fit in within current DoH charter or may not, depending on
how "existing DNS methods (UDP, TLS [RFC 7857], and DTLS [RFC 8094])
experience problems" from the charter is interpreted.

Is this a replacement for traditional DNS? (there's no need to take
offense at this question.. please let's just discuss it.)

The 64kB limit is just one aspect (we've been asked for proof of
problems - it has been explained already that DNS message parsers do it
in memory currently - 64kB imposes an implicit upper limit on the
derived objects in in-memory message structures (lists of names + RDATA
objects).  E.g., a 32-bit limit would mean the possibility of requiring
to hold 4GB wire data in memory and the larger derived structs from
parsing it, or, reimplementing message parsing with disk storage. (Think
of sax vs. DOM XML parsing for an analogy.)

> The question of what message size limits to require or recommend does not
> resemble an attempt at any kind of "DNS 2.0".  Note that message size
> interoperability questions are not a new issue within the DNS: many
> endpoints will reject messages larger than 4K or 8K, even though there is
> no way to signal this limitation.  HTTP has similar issues (e.g. URL length
> limits).

Implementators are concerned because this 64kB limit has been assumed
forever now and various parts of code aren't written or even designed to
handle larger sizes. I don't know how you mean by "endpoints will reject
messages larger than 4k".. I think any of the popular open source DNS
nameservers will parse 64kB messages over TCP (though some may not
generate > 16kB messages as name compression pointers have a limit of
16kB from the start).

> The charter does not require that the standard guarantee functionality in
> all possible use cases and multi-system interactions, and both choices (to
> apply a limit or not) fail to serve a desirable use case: either we don't
> support 100% reliable gateways from DoH into DNS-over-TCP, or we don't
> support large zone transfers over DoH.  It's up to the working group to
> balance these concerns, either by choosing one option or by finding a
> middle ground.

The charter says:

"The primary focus of this working group is to develop a mechanism that
provides confidentiality and connectivity between DNS clients (e.g.,
operating system stub resolvers) and recursive resolvers."


"Specification of how DNS-formatted data may be used for use cases
beyond normal DNS queries is out of scope for the working group."

and we're talking about zone transfers. Zone transfers are not DNS
queries. So what's the limit of this charter?

Large zone transfers are supported today using TCP continuation messages
and the same can be encoded by DoH within the 64kB message limit. FWIW,
even we don't use larger than 16kB messages for zone transfers in
traditional DNS because it doesn't compress well, though there is a 64kB

If DoH is purely an encoding transport to carry traditional DNS
messages, then there will be a problem with larger than 64kB messages

(1) tradtional NS -> (2) trad:DoH intermediate using 1MB messages -> (3) DoH client


(1) DoH NS using 1MB messages -> (2) DoH/trad intermediate -> (3) traditional client

because TSIG will not validate if only (1) has the secret to generate
them and (2) is just a forwarder.

A person like me is wondering about these things, because I don't know
what's the limit for DoH - how all it will be used, because of
everything that's being discussed. It appears that DoH will not be
restricted, so before rushing to update things, please discuss
traditional DNS's concerns, and also discuss what's within scope in the

As an exercise, it'd be good to read about several practial usage
patterns in which DoH may be used.