Re: [Doh] I-D Action: draft-ietf-doh-resolver-associated-doh-03.txt

Stephane Bortzmeyer <> Mon, 25 March 2019 11:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BCD57120395 for <>; Mon, 25 Mar 2019 04:03:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id o0nq0DbKXXEH for <>; Mon, 25 Mar 2019 04:03:47 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F24DC120390 for <>; Mon, 25 Mar 2019 04:03:46 -0700 (PDT)
Received: by (Postfix, from userid 10) id 45B21A0531; Mon, 25 Mar 2019 12:03:44 +0100 (CET)
Received: by godin (Postfix, from userid 1000) id 8B5BFEC0B0E; Mon, 25 Mar 2019 12:01:36 +0100 (CET)
Date: Mon, 25 Mar 2019 12:01:36 +0100
From: Stephane Bortzmeyer <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 18.04 (bionic)
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <>
Subject: Re: [Doh] I-D Action: draft-ietf-doh-resolver-associated-doh-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Mar 2019 11:03:49 -0000

On Sun, Mar 24, 2019 at 01:14:54AM -0700, <> wrote 
 a message of 43 lines which said:

>         Title           : Associating a DoH Server with a Resolver
>         Author          : Paul Hoffman
> 	Filename        : draft-ietf-doh-resolver-associated-doh-03.txt

My biggest issue is that the rationale in section 1 has many weak points:

* "There is a use case for browsers and web applications". Why not for
local limited resolvers like stubby or systemd-resolve? We assume they
will always prefer DoT?

* "much less often, they use manual configuration" Less often but more
and more, to workaround failures and/or censorships. On a gamer forum,
these days, any report of an issue, whatever the issue is, elicit a
suggestion "switch to [some public DNS resolver]"

* "In a common scenario" "Common" is way too vague for something which
exists in *some* corporate networks but never (I hope so!) in public

Otherwise, even after reading the whole thread "Reviewing
Resolver-Associated DOH", I don't understand why https is required in
section 2. We don't require DNSSEC in section 3, so why having
stronger requirments for HTTP? Since having certificates for IP
addresses will be difficult in practice, why not just accepting http
as well as https? (Or, <horror>https without cert. checking</horror>.)


* in section 5, server is written serer.

* in section 1, "Users typically configure their DNS recursive
resolvers with through automatic configuration" With through?