Re: [Doh] How to start HTTP/2?

Patrick McManus <> Wed, 17 January 2018 15:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2B69A127978 for <>; Wed, 17 Jan 2018 07:03:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id H4B7e_MBsQhJ for <>; Wed, 17 Jan 2018 07:03:47 -0800 (PST)
Received: from ( [IPv6:2600:3c02::f03c:91ff:fe6e:e8da]) by (Postfix) with ESMTP id D94B912D957 for <>; Wed, 17 Jan 2018 07:03:46 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTPSA id 684163A0FE for <>; Wed, 17 Jan 2018 10:03:44 -0500 (EST)
Received: by with SMTP id h92so12038088lfi.7 for <>; Wed, 17 Jan 2018 07:03:44 -0800 (PST)
X-Gm-Message-State: AKwxytfblcVV/cgIYakZG/WW0TK+PnBURc4+7Q7dn/0EJ/XcJetpGBYS y1w2TDYbxklS1uPrDvNgevjdgtJd1lafUBLkTwM=
X-Google-Smtp-Source: ACJfBoueYDQYLfPcl0b+yLnpv9oQPgN2V0I1p0Ul3NoLq0L+IUUj6Fp3cSsptYpAgwQ9QPg8FTyiLTc2j0wubpbMbgA=
X-Received: by with SMTP id r195mr10820573lff.37.1516201423068; Wed, 17 Jan 2018 07:03:43 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Wed, 17 Jan 2018 07:03:42 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <>
From: Patrick McManus <>
Date: Wed, 17 Jan 2018 10:03:42 -0500
X-Gmail-Original-Message-ID: <>
Message-ID: <>
To: Stephane Bortzmeyer <>
Cc: Patrick McManus <>,
Content-Type: multipart/alternative; boundary="94eb2c1a194a3ae4b30562fa27bc"
Archived-At: <>
Subject: Re: [Doh] How to start HTTP/2?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 17 Jan 2018 15:03:54 -0000

On Wed, Jan 17, 2018 at 3:18 AM, Stephane Bortzmeyer <>

> Martin Thomson said it is not a problem because everyone uses TLS and
> ALPN, anyway. But it contradicts what you say about the possibility of
> future changes using other techniques.

for h2, everyone does use TLS/ALPN/TCP-443 for the base case.. but if
you're using alt-svc then the host and port are resolved differently. DoH
can use Alt-Svc but DoH (rightly) doesn't reference it. Alt-Svc is an h2
extension (rfc 7838)

hq (HTTP on Quic - an IETF successor to h2) will be a bit more
complicated.. not only will you need TLS and ALPN but you'll need Alt-Svc
(or something like it) for even the base case as TCP/443 isn't going to
work. Again, referencing the details in doh doesn't help a lot beyond
saying "MUST connect via https and SHOULD use h2 or its successors".

One of the reasons this can't be a MUST is actually ensuring a >= h2 path
is nigh impossible given all of abstractions in infrastructure. Its not
meant to say you should always fail the connection if it is not made over
H2, just
a] make sure your implementation offers and tries to use >= h2 in the usual
b] understand that if you're not using >= h2 there are serious scaling and
performance issues

If this can be expressed as non-normative advice in a sentence or three
that would be ok by me but in general I think this is what using https as a
substrate means.