Re: [Doh] A question of trust (was Re: Draft -09 and WGLC #2)

Sara Dickinson <> Tue, 29 May 2018 09:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4D1E8126BFD for <>; Tue, 29 May 2018 02:27:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uLsjBkiE_3x7 for <>; Tue, 29 May 2018 02:27:34 -0700 (PDT)
Received: from ( [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4D2A812421A for <>; Tue, 29 May 2018 02:27:34 -0700 (PDT)
Received: from [2001:b98:204:102:fffa::409] (port=50889) by with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <>) id 1fNaue-0001vq-9T; Tue, 29 May 2018 10:27:32 +0100
From: Sara Dickinson <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_53654ECA-53AE-42D2-B4DD-8B5AF81EF375"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Tue, 29 May 2018 10:27:15 +0100
In-Reply-To: <>
Cc: Martin Thomson <>, DoH WG <>, Andrew Sullivan <>
To: Patrick McManus <>
References: <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.6.18)
X-BlackCat-Spam-Score: 4
Archived-At: <>
Subject: Re: [Doh] A question of trust (was Re: Draft -09 and WGLC #2)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 May 2018 09:27:37 -0000

> On 29 May 2018, at 02:30, Patrick McManus <> wrote:
> If we change the text, I think that we could avoid the MUST and say that
> this document assumes that DNS API clients configure a single DNS API
> server and do not send queries to, or accept answers from, other servers.
>  I don't think 'single' is the operative part there - and I don't think the document assumes that beyond a single request needing a single URI. But, yes, its the "others" that it is looking to exclude.

+1 Do not limit this to a single configured server. 

> I also think you're right to imply that we have a tension here between what we want to exclude now (stumbling across websites offering to be recursives) and what we want to enable exploring later (stumbling across websites offering to be recursives :)) in a more comprehensive manor. I'll offer up some text inspired by 7540's handling of client certs which has a somewhat similar profile.
> This might not be hard to solve - the section is really just using configuration and trust synonymously and a bit redundanty, but people are reading more into trust. So perhaps we can just use one term. wdyt of: 
> "A DNS API client uses configuration to select the URI, and thus the DNS API server, used for resolution. [RFC2818] defines how HTTPS verifies the server's identity.
> A client MUST NOT use a different URI simply because it was discovered outside of configuration. Specifically, this specification does not extend DNS resolution privileges to URIs that are not recognized by the DNS API client as configured URIs. A future specification may support this case.”

I much prefer the approach of just discussing configuration but I don’t think this goes far enough in answering Andrews question or helping implementors work out exactly what to to. So….

What does ‘configuration’ cover?
- Just direct configuration e.g. via a client API or config file
- Or also dynamic configuration e.g. via DHCP, assuming a future option for this (which raises the question of trust again….)? 

I support only specifying direct configuration in this document but either way making it more explicit.