Re: [Doh] [Ext] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh

Paul Hoffman <> Tue, 22 January 2019 16:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 871A0130F32 for <>; Tue, 22 Jan 2019 08:11:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YCC5sm_P42Aq for <>; Tue, 22 Jan 2019 08:11:23 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 41D6012E043 for <>; Tue, 22 Jan 2019 08:11:23 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 22 Jan 2019 08:11:20 -0800
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1367.000; Tue, 22 Jan 2019 08:11:20 -0800
From: Paul Hoffman <>
To: John Dickinson <>
CC: "" <>
Thread-Topic: [Doh] [Ext] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
Thread-Index: AQHUsknwWd0ToIteakqp5mhlx5MwG6W7+8EA
Date: Tue, 22 Jan 2019 16:11:20 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Doh] [Ext] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 22 Jan 2019 16:11:26 -0000

On Jan 22, 2019, at 3:58 AM, John Dickinson <> wrote:
> On 16 Jan 2019, at 22:32, Paul Hoffman wrote:
>> On Jan 16, 2019, at 1:29 PM, Martin Thomson <> wrote:
>>> On Wed, Jan 16, 2019, at 11:25, Paul Hoffman wrote:
>>>> People from a few browser vendors have expressed unofficial interest in
>>>> implementing at least parts of it if it gets standardized, so it seems
>>>> like a good idea to try to standardize it. There is still a reasonable
>>>> amount of work to be done in the document itself, and it certainly needs
>>>> input from both browser and DNS folks.
>>> What happened to DRIU?  It seemed like there was an effort to work on the problem more generally.
>> There was little interest in anything other than this part.
>>> But I see the DoT comment down-thread and wonder whether this is the right place for doing this sort of work.
>> DPRIVE is (sadly very slowly) working on draft-ietf-dprive-bcp-op, where DoT discovery would fit just fine.
> I don’t think so. The BCP is Informational,

As a process note, BCPs are standards, not Informational. 

> I see server discovery (requiring extensions to the protocol) as well out of scope for the BCP.

For that, I agree. For DoT, "try it and see" works just fine.

> As mentioned by Ben, for opportunistic DoT port 853 can be probed, but there is still no DNS or DHCP solution for Strict DoT (i.e. securely obtaining the authentication domain name).

Agree. There has been little interest in this so far.

> My understanding of this draft is that it provides only an ‘opportunistic’ discovery mechanism for DoH where the resulting URI template cannot be DNSSEC validated by the system resolver or the requesting application/browser. If that is the case the resulting HTTPS connection _could_ have been re-directed and so I think that should be spelt out more clearly. 

Good point, will do.

> For example, I think that at least the title should be something more like ‘Associating a DoH Server with a Resolver for Opportunistic DoH’.

I would push back on this change because "DoH Servers by TXT" is opportunistic while "DoH Servers by Addresses" is not.

> Other comments:
> I find this draft extremely difficult to read. For example, I am unable to easily parse Section 1, Para. 2, Sentence 1:
>   “There is a use case for browsers and web applications to want the DNS
>   recursive resolver(s) configured in the operating system to use DoH
>   for DNS resolution instead of normal DNS, but to do so to at a DoH
>   server specified by the configured resolver.”
> I find the rest of the Introduction just as difficult to read.
> Please add SUDN to the Terminology section and to the next DNS Terminology -bis draft.
> Section 2.1
>   “the zone is
>   not actually delegated and never will be.”
>   So it can never be DNSSEC signed unless you use a local trust anchor.
> Section 2.2
>   “To find the DoH servers associated with a resolver, the client sends
>   a query to
>   https://IPADDRESSGOESHERE/.well-known/doh-servers-associated/”
>   Need to make it clear that this is a DoH query not a regular “http query”
> Section 3 makes no mention of the fact that the OS stub resolver typically has more than 1 resolver configured.
> Section 4
>   “That wording might say
>   something like "DoH server associated with my current resolver" (or
>   "servidor DoH asociado con mi resolucion actual" or "serveur DoH
>   associe a mon resolveur actuel”).”
>   Is this intended to be read only configuration? It doesn’t sound like a configuration item for a User to edit.

The purpose of having a WG review the draft is to make it easier to read. All the above seem like good changes.

> I do not think this draft should be adopted until a separate use cases document is written (I am happy to help write it).

We disagree here. In which WG has the separate use cases document being finished before the protocol started worked out well?

--Paul Hoffman