Re: [Doh] [Ext] Seeking input on draft-03

Paul Hoffman <> Thu, 08 February 2018 18:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CCB4712D80F for <>; Thu, 8 Feb 2018 10:18:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FLe7IN0xDssc for <>; Thu, 8 Feb 2018 10:18:18 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 61BCD1242F7 for <>; Thu, 8 Feb 2018 10:18:18 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 8 Feb 2018 10:18:16 -0800
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1178.000; Thu, 8 Feb 2018 10:18:16 -0800
From: Paul Hoffman <>
To: Mike Bishop <>
CC: "" <>
Thread-Topic: [Ext] [Doh] Seeking input on draft-03
Thread-Index: AQHToQg4JPRWKhdW8EC83B7aYTP4NqObVmkA
Date: Thu, 8 Feb 2018 18:18:15 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Doh] [Ext] Seeking input on draft-03
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 08 Feb 2018 18:18:20 -0000

On Feb 8, 2018, at 10:11 AM, Mike Bishop <> wrote:
> I’m inclined to think this is a positive change.  We’re trying to do something better than the current world of “trust the local DNS server because unauthenticated DHCP says so”, and promiscuous trust just because a server claims it support DOH via a .well-known endpoint isn’t really any better.  The client should know the hostname(s) of the DOH server(s) it wants to use, and it should authenticate the DOH server against that hostname.

To be clear: that's not what the current draft says. It says that the client needs to know *the full URL to the DOH service* of the DOH server it wants to use.

The effect of this is that, if a user wants to tell its browser to use DOH on, they need to know the full URL and type it into some config dialog for the browser. Or, possibly worse, browsers that want to enable DOH will have to have a list of popular DOH servers and the URL associated with each server, somewhat akin to the preloaded key pinning we see now; that list would also need to allow the user to extend the list.

Using .well-known/ or some other fixed prefix would make it so that configuring DOH was less onerous for users.

--Paul Hoffman