Re: [Doh] A question of trust (was Re: Draft -09 and WGLC #2)

Martin Thomson <> Tue, 29 May 2018 01:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EB74212DFDB for <>; Mon, 28 May 2018 18:35:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qlOfyCM6eZce for <>; Mon, 28 May 2018 18:35:52 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c0f::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7090F12DA18 for <>; Mon, 28 May 2018 18:35:52 -0700 (PDT)
Received: by with SMTP id i5-v6so15221171otf.1 for <>; Mon, 28 May 2018 18:35:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CH7uHX3E7PSZ/eWQ7PJ/++OI2EisnuBba1yOmjG6aqM=; b=n+E27ZU96rfwQZSh/eBbkaGHeF77TxKbnO9QPK3zo0pGGq8wD/8ihlMXM4Pl3hai2V godzWmeKRxJj66H2fxasl0srDPSVtG6pHGMLo/gVOKeUFvnC47ZrM4uz0/nryOtAyoLu OrAXGgKx2nQNWTY0DTCJdEJAMLcQVbeDiuvGgb+ke3hQZkzjks6WxsHXyouNDja9RkyM QFQCe2RnUx4Vf1XOLS+6Svmi1lNdTmx+CJ/tsV0WWo6StjqXMhHua7eTaZBLmE3+4ZuR yGCNcMlZ3HNgQvdX+EkqOgl+lFgQ+cWJZH4iqOPj3cV75s078GJ4NNEIyXisLa/3M32h M03w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CH7uHX3E7PSZ/eWQ7PJ/++OI2EisnuBba1yOmjG6aqM=; b=JDYFyOspWPHwoVrfKfLQiMKBIiLPyCfXBFFK294eDwQg2MvFl/NoZu41JKXp1ikHcw xWTPjzlqy232M2U3H3HYMtotv7WLqXsEy4o1Te1lkMa3H1HEulNUilYDk+H9wkglq2yw myb/pSj2zQKhboGhanK6r0OaPImDV3g5z+ZsTcUJMq4oT8hBtpHW+kdohBWJFRkQ8btm Fsaq3oEwBFc1hLswkPZGX+57mOoWM+HsR/JIFqYyedrXKd8K1/WerPEgyKAQ/J8Ws8Ar yfdZqLOetgqrKkuekZ+S7ccQpGaCZCKhxr6H8PhSKY0AZ55U6gsFnCv0JADBga3IRhUu o5Ng==
X-Gm-Message-State: ALKqPwc5IBMOelHpFkNpLy3DJxbfqENr4zfWNRHlM55b2WHSIW4qYY7n pIKMdpC5+3TVs1AyIt8PJKfkiwSGrS5AaNh1ZrA=
X-Google-Smtp-Source: ADUXVKIpTIvNnUoif6F+sS7NdWRAXqx03DHcZQmAOXg5q/2LtTkzUhDopE7jEJMwPMnRb9d+L0Tzi5onuXNuH8Awb8k=
X-Received: by 2002:a9d:3ea5:: with SMTP id b34-v6mr9341929otc.283.1527557751708; Mon, 28 May 2018 18:35:51 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Martin Thomson <>
Date: Tue, 29 May 2018 11:35:41 +1000
Message-ID: <>
To: patrick mcmanus <>
Cc: DoH WG <>, Andrew Sullivan <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [Doh] A question of trust (was Re: Draft -09 and WGLC #2)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 May 2018 01:35:54 -0000

On Tue, May 29, 2018 at 11:30 AM Patrick McManus <>

>> If we change the text, I think that we could avoid the MUST and say that
>> this document assumes that DNS API clients configure a single DNS API
>> server and do not send queries to, or accept answers from, other servers.

>   I don't think 'single' is the operative part there - and I don't think
the document assumes that beyond a single request needing a single URI.
But, yes, its the "others" that it is looking to exclude.

> I also think you're right to imply that we have a tension here between
what we want to exclude now (stumbling across websites offering to be
recursives) and what we want to enable exploring later (stumbling across
websites offering to be recursives :)) in a more comprehensive manor. I'll
offer up some text inspired by 7540's handling of client certs which has a
somewhat similar profile.

> This might not be hard to solve - the section is really just using
configuration and trust synonymously and a bit redundanty, but people are
reading more into trust. So perhaps we can just use one term. wdyt of:

> "A DNS API client uses configuration to select the URI, and thus the DNS
API server, used for resolution. [RFC2818] defines how HTTPS verifies the
server's identity.

> A client MUST NOT use a different URI simply because it was discovered
outside of configuration.

... or that resources offers a response that is apparently a valid answer
to a DNS API query...

> Specifically, this specification does not extend DNS resolution
privileges to URIs that are not recognized by the DNS API client as
configured URIs. A future specification may support this case."

In my mail, I suggested that we hit the reasons for this restriction, so
that it is clear why this "MUST" appears (I also suggested not using a
MUST).  I think that explaining what the client leans on the server for is
important for understanding the decision to use the big guns here.