Re: [Doh] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh

"Ralf Weber" <> Wed, 23 January 2019 08:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4698B130E5D for <>; Wed, 23 Jan 2019 00:18:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OQpvFLBA6Yhh for <>; Wed, 23 Jan 2019 00:18:46 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 06609128D52 for <>; Wed, 23 Jan 2019 00:18:46 -0800 (PST)
Received: by (Postfix, from userid 107) id BEA8F5F4034A; Wed, 23 Jan 2019 09:18:44 +0100 (CET)
Received: from [] ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id EB7F35F40022; Wed, 23 Jan 2019 09:18:43 +0100 (CET)
From: "Ralf Weber" <>
To: "Daniel Stenberg" <>
Cc: "Paul Hoffman" <>, "DoH WG" <>
Date: Wed, 23 Jan 2019 09:18:42 +0100
X-Mailer: MailMate (1.12.3r5579)
Message-ID: <>
In-Reply-To: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [Doh] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 Jan 2019 08:18:47 -0000


On 23 Jan 2019, at 8:25, Daniel Stenberg wrote:

> For me, one of the key elements and features with DoH is that I as a 
> user have picked a DNS provider I decide to trust.
That is a decision maybe you or me can take as an informed user with 
knowledge of how networks work. Most users and I’m using all of my 
wider family that I support technically as an example could not make 
such a decision. Sure they could click somewhere like they clicked 
ignore cert or enhance your computer multiple times which lead to tons 
of work on my side. This is why I’d like only informed users to make 
that change and let the ISP or network admin running DNS enhance their 
security by pointing them to DoH server.

> Be it a global CDN provider or my own cloud instance.
Well if you run your own DNS instance you soon find out that your Web 
performance especially video is bad, when you are not near your DNS 
server, as none of the big CDN companies will look at the client subnet 
extension you send.

> Any other way, with the ISP or my local network admins telling me what 
> server to use, is a major setback in my view.
> All forms of opportunistic DoH will make it no better than 
> opportunistic DoT, which ultimately will fail to protect my privacy.
Well you can protect your privacy today by manually changing you DNS/DoH 
provider already. So the use case described in here is not for you, but 
instead for those that can not make these informed changes.

So long
Ralf Weber