Re: [Doh] Clarification for a newbie DoH implementor

"Mark Delany" <> Tue, 21 May 2019 04:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6291A120123 for <>; Mon, 20 May 2019 21:48:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2gmS0DreSRXE for <>; Mon, 20 May 2019 21:48:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B31F712009C for <>; Mon, 20 May 2019 21:48:53 -0700 (PDT)
Received: by (Postfix, from userid 1001) id 50B8D3B05A; Tue, 21 May 2019 14:48:50 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple;; s=2019; t=1558414130; bh=0H3racZnYPJn8LpwyWt8C55nQXI=; h=Comments:Received:Date:Message-ID:From:To:Subject:References: MIME-Version:Content-Type:Content-Disposition:In-Reply-To; b=LRpP3hO1GH+MZeAk8ZwIHz8KdXq/7KWCgGEf4vX7YnvayyuwIGfrDgZoZ1OPQ+EW3 TfKds1PJN/WvGEFsdjgT4iY9EEFb5urwMDQoUgjaYDd7OXssLedZhl8M23y0Ia8Vwe jiEwzqUcW9fVTnyX1+CxF3q01t1WKy6aRAbpGkbQ=pGkbQ=
Comments: QMDA 0.3a
Received: (qmail 11544 invoked by uid 1001); 21 May 2019 04:48:50 -0000
Date: 21 May 2019 04:48:50 +0000
Message-ID: <>
From: "Mark Delany" <>
To: "DoH WG" <>
References: <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
Subject: Re: [Doh] Clarification for a newbie DoH implementor
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 May 2019 04:48:55 -0000

On 19May19, Ben Schwartz allegedly wrote:

> This is transparent and generally does not cause problems.

> In practice, none of this seems to be a problem.

I'm interested to know how you came to those conclusions. When you say
"generally" and "seems" that sounds more anecdotal than empirical.

(Was there ever a bake-off for DoH? Three independent implementations and all
that jazz?)

Having said that I accept the reality that as long as at least one IP address
gets returned in a response, then everything else that the DNS community has
layered on top of a DNS query/response is mostly icing on the cake.

IOWs the lowest common denominator is all that most clients rely on so all my
hand-wringing around TC and ECS and roles is so much esotericism. Sad for me but
hardly important.

As just one example of how indifferent clients are; as you observe, many DoH
servers re-query TC responses locally thus insulating clients. Contrast this
with dnsmasq which appears to arbitrarily clear TC and return the truncated
response to client as if it were whole.

That the Internet functions with these two completely opposing outcomes is
impressive. I'm not sure how that guides a DoH implementor to a robust solution
but it does seem to perpetuate the notion that any solution is legit as long as
it generally "seems" to work.

> DoH is a transport for DNS.

That misapprehension on my part is what initiated this thread in the first

I initially saw DoH as a port 53 tunnel, but it is anything but that if you
include client and server behavior.

At the very least the DoH server is content-aware and responds to TC=1 and
server timeouts and who knows what else based on what local resolver it is
using. In addition the DoH client is specified to be aware of TTLs and HTTP
"Age" headers and modify the response accordingly.

We also saw earlier in this thread some discussion around DoH components
participating in ECS settings.

To my mind that makes DoH more akin to an RPC interface created by slicing thru
a stub resolver.

Enough ranting. You provided useful feedback that I can act on, so thanks for