Re: [Doh] [Ext] Re: Associating a DoH server with a resolver

Eric Rescorla <> Wed, 24 October 2018 03:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8D1C9130DFD for <>; Tue, 23 Oct 2018 20:19:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BNwzu9srXWWN for <>; Tue, 23 Oct 2018 20:19:16 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 47314130DDA for <>; Tue, 23 Oct 2018 20:19:13 -0700 (PDT)
Received: by with SMTP id x24-v6so2783257lfe.5 for <>; Tue, 23 Oct 2018 20:19:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MLHv2SvNYTFn3aU2IkhXp6K+4olFG8qvj+gz7uEnZjA=; b=iZzM8hyJX8Xoi/IzLQ/labpM7+1p4IO3+AYntnERVknxYH7wKurJjpOnR8k1pbjA54 fC78Zm1Sf+o8mbd1aSky+0jkINXcs4Yftrg8+BEr5wKdeBGLLyTeiULDfO7DXPQULg+F 0TVVEpJMkfysNU/cD2YRMl9Ly3OgCe7Xwl4B6E3gJvCOmNuton6nKtMy9OKaIWEoG/eH f1wI9IXn8OWJeMya3u5dyfMCEVjv1AyFAfkVga0z49pPVnXTwybRSPHrki6LrrgKgQiQ 4kShUIpmieRebiehtTjxjtvqznGDKxsXKAjcVAFhfzic8l7hSZQ9Pro6KfCzJ8EbuhB6 BQ4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MLHv2SvNYTFn3aU2IkhXp6K+4olFG8qvj+gz7uEnZjA=; b=KVOoiaOtTMvXs1ClaYFkpfjxzG2BkErEDkkYE1GkYv8bvXz4ZZE8dwZZpr9B2C0fLZ vxSZdEB+RqanfTNOvNny3MQcxEzVBbV/oHWXEy4EZR3oXINKBBtAuoYb7KQqSEsbtbeI FZH/zO/+A4FTbl/gWotVFxmy7Cq/G5ak9ggW015wv/Quxlwr32GKf3VfTC7/Y5t27YWD iViys/SmFdDNqlwwEOyZwYFKB1UAZNWUR9fI/GQVpfqUWH0k5GTM9C2mNUtgiHxc3GT3 q2hLAPB4wOtCmuITFo2GsZXKUVoVA5nNg8DzjJwJDWkm7dIOvOrrLVw7PpIMbVGwLknz Y/+Q==
X-Gm-Message-State: ABuFfoh4FrfG7v5WADnYUvvOv47wNcp6Cj8eSOcqeqst84LXFnMPlAtM k4vOrGRo8CtVmQlVApc3BZ43dU8cn1iIf9hGUJNXZg==
X-Google-Smtp-Source: ACcGV60zkS5JR/FtwVqNRPetGRIhug/GradmNex2pAnGAgrFLiyXrdcagkYZOzJm7FOmvmjsdYht6zKxEN4ctsEB4iU=
X-Received: by 2002:a19:ca51:: with SMTP id h17mr4638562lfj.126.1540351151395; Tue, 23 Oct 2018 20:19:11 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Eric Rescorla <>
Date: Tue, 23 Oct 2018 20:18:32 -0700
Message-ID: <>
To: Martin Thomson <>
Cc: Paul Hoffman <>, DoH WG <>
Content-Type: multipart/alternative; boundary="0000000000003569730578f0f319"
Archived-At: <>
Subject: Re: [Doh] [Ext] Re: Associating a DoH server with a resolver
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Oct 2018 03:19:19 -0000

Several points here:

1. As a matter of aesthetics, I agree with Martin that domain names would
be better.
2. Martin sent a link to a method for resolving TXT records on Windows.
MacOS has its own API:
So, this doesn't seem prohibitive to me.
3. It seems like in the use case for which this draft is specified, the
whole thing is pretty opportunistic, so IP address certs wouldn't be
4. There are other uses cases for which it might be nice to have real
domain names, in which case the IP address cert thing is a pain.

For these reasons, I think a domain name in TXT or the like would be better.


On Tue, Oct 23, 2018 at 6:22 PM Martin Thomson <>

> On Wed, Oct 24, 2018 at 12:12 PM Paul Hoffman <>
> wrote:
> > There is no way for an application like a browser to send a query
> through the OS for anything other than address records. That is,
> gethostbyname() and its equivalents only pass back address records. Even if
> an application had its own DNS stack to make queries for other RRtypes, it
> doesn't have any way to know where to send them to.
> Well, might still be useful for
> that then.  That's not ideal, but I believe that there are ways to
> make queries for other record types that are more available now than
> perhaps there were in the past (see
> for example).
> >> IP-based certificates [...] impossible to deploy in many cases (think
> of the many resolvers with 1918 addresses, for example).
> >
> > They don't make it "impossible" by a long shot. Plenty of resolvers,
> even corporate resolvers, have public addresses.
> True, it is probably still possible, but it's not like you can just
> use ACME to get the certificate.  That's "possible" in theory, but I'm
> looking for practicable.
> _______________________________________________
> Doh mailing list