Re: [Doh] WG Review: DNS Over HTTPS (doh)

Martin Thomson <> Tue, 26 September 2017 00:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5732813460B; Mon, 25 Sep 2017 17:04:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9hNeRrqnWw7D; Mon, 25 Sep 2017 17:04:41 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9C8551321A4; Mon, 25 Sep 2017 17:04:41 -0700 (PDT)
Received: by with SMTP id p126so9525049oih.9; Mon, 25 Sep 2017 17:04:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YB3Mxff3Xe+mwMDRNK9zF7+etaTBlJgTNocN/YkZa/Y=; b=BXUEGNDkmCFcOFQYEnXth6zYMQE0aBRZ8S9GsHK8eOqtUMwzwzTqux/4scJZSA2pT+ Ou0waBu5FNQjPMcXV4vOXWIgDK11T7zQGSwnsQCqYLBz3L9efP2hnYNh8SFhRtlRBLDN IuDN6m4jwKZdNbgzGIFaSxlsscAFW0XaIj3g0Njn1L5rsOUaqTZ1s9okYs0abU7r0ASN 8/j79CgAdEG3WmrtY1tU+x2g5p3deHE255CF2mcwWEAksld1kzV5vv7Np8ZpAPeRUBDH zDIUgUI3r1wcZ9U6mFfffXcET6TxtbmRXpfDe7hQcOJzWJxDuiV4/73SwCrfKGHV7u5E XfBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YB3Mxff3Xe+mwMDRNK9zF7+etaTBlJgTNocN/YkZa/Y=; b=DA5LH1h9SQd4yKCvUYLJCoLEvQzVATmL6LRg2rDPnw1xCW41UKwqN2FeZAL5DcvDas aQIE0NjzX6woL+mr4pylyOPq77m9cQNm/6W/49zr07yqqzXUQRpljnGHTbp1znrpchHw sLwXQK8o2ZCqyg+9JWHLGglzSxGANu3O5W7T8eqqX9ECwIf8abfI1jZ7eCZUHrjXSVYi Tx+Ca0+Pxla/SFFrp8o6blqISo0o8782/X2bZYjKoGkgjdDjTRSITW9d/6DFnE/8Odn8 iTBW3XWjg7tDANP0T7SjeRxlu0vttQWHE10/JBcNu++Zrxj0mqzuYo7F8+9SLB5cQ5wp qGGg==
X-Gm-Message-State: AHPjjUhpqQGw0dTZCg1vNDGFkyfkcTj3qbhpyOy0xcpHyHhWf4GtK8ZO TyNFxlEcCUEv+nINhg58nho1K1/mywRhd+5Wa/g=
X-Google-Smtp-Source: AOwi7QBPMWR8SmZYsvxsbw50zGoMB9/gZIc37I9QYs4duL5y3IQCCYAVgn/fL/VVABkRZ1O8AvxYQ95EQ4iSGKUJrTQ=
X-Received: by with SMTP id t195mr10954098oie.277.1506384280932; Mon, 25 Sep 2017 17:04:40 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 25 Sep 2017 17:04:39 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <>
From: Martin Thomson <>
Date: Tue, 26 Sep 2017 10:04:39 +1000
Message-ID: <>
To: Stephen Farrell <>
Cc: Adam Roach <>, Ted Hardie <>,, IETF <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [Doh] WG Review: DNS Over HTTPS (doh)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Sep 2017 00:04:43 -0000

On Tue, Sep 26, 2017 at 9:49 AM, Stephen Farrell
<> wrote:
> On 26/09/17 00:38, Adam Roach wrote:
>>> The Working Group will analyze the security and privacy issues that could
>>> arise from accessing DNS over HTTPS. In particular, the Working Group
>>> will
>>> ensure that access to DNS information from a JavaScript context will
>>> not have
>>> adverse impact on the host operating system's DNS cache. The manner in
>>> which
>>> such analysis is performed will be decided by the working group.
> I'd be just about ok with that. My problems with your rephrasing
> are:
> - I'm not sure the WG can "ensure" a lack of adverse impact, so
>   why make it a requirement, if it's not possible?
> - Pollution of the OS's cache may not be the only bad thing that
>   can happen, so that needs to be an example.
> - I'm fine that a WG decide how to document stuff, but saying
>   they can decide the manner in which such analysis is performed
>   seems to me like you could drive a giant cart and horses-
>   galore through that loophole, and that phrasing seems to
>   nearly invite that, and I've seen WGs do just that kind of
>   thing. I'd like that you or some other AD could ask to be
>   pointed at the analysis results and for those to at minimum
>   need a WG-list thread, so saying "do the work, document it
>   however you like" seems like a better plan to me.

How about just:

The Working Group will analyze the security and privacy issues that
could arise from accessing DNS over HTTPS. In particular, the Working
Group will consider the interaction of DNS and HTTP caching.

I don't think that we need the JS piece in there.  There are special
concerns there, but I think that we're all enough aware of those
concerns that we can reach a conclusion of sorts in the working group.