Re: [Doh] [Ext] Are we missing an architecture? (was Re: DNS Camel thoughts: TC and message size)

Mateusz Jończyk <> Thu, 14 June 2018 19:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0E38C130EAF for <>; Thu, 14 Jun 2018 12:12:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bLuun_tV4h1R for <>; Thu, 14 Jun 2018 12:12:28 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4F7CF130E74 for <>; Thu, 14 Jun 2018 12:12:27 -0700 (PDT)
Received: (wp-smtpd 32728 invoked from network); 14 Jun 2018 21:12:23 +0200
Received: from (HELO []) ([]) (envelope-sender <>) by (WP-SMTPD) with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP for <>; 14 Jun 2018 21:12:23 +0200
To: Sara Dickinson <>, DoH WG <>
References: <> <> <> <> <> <20180613192030.GA2792@jurassic> <> <20180613205637.GA23215@jurassic> <> <20180614042217.GA25915@jurassic> <20180614044113.GA27115@jurassic> <> <>
From: =?UTF-8?Q?Mateusz_Jo=c5=84czyk?= <>
Openpgp: preference=signencrypt
Message-ID: <>
Date: Thu, 14 Jun 2018 21:12:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="B9RhGjLrglHhKUfBLuXZ52wkYs5XQBuer"
X-WP-MailID: a27459fca9fb4423f541906f2ce5c6cd
X-WP-AV: skaner antywirusowy Poczty o2
X-WP-SPAM: NO 0000000 [saOU]
Archived-At: <>
Subject: Re: [Doh] [Ext] Are we missing an architecture? (was Re: DNS Camel thoughts: TC and message size)
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Jun 2018 19:12:32 -0000

W dniu 14.06.2018 o 16:00, Sara Dickinson pisze:
> Applications are free to decide it but it is not without consequences, for example:
> 1) Many enterprises rely on using internal views for DNS from servers provided by DHCP. If applications override this by _default_ then that model completely breaks internal name resolution _and_ leaks internal queries to the external resolver. Some might consider that a loss of security and privacy. 
> 2) By ‘users’ above I think you mean ‘application developers’ not ‘actual end users’? While their may be good reasons for application developers to want to do this I would postulate that actual end users who understand enough about DNS to want to control it would prefer to have a single system setting to configure it to point at _their_ preferred resolver, rather than a (transport/DNSSEC/resolver) setting existing in every individual application. 
> I’m not saying there is a right or wrong model here, just that there are more concerns than simply what the application prefers. 
> Sara. 
There is a need for robust DHCP to discover DOH servers.

I hope that separate DOH settings in web browsers are just a stopgap measure
until operating systems will support DOH.