Re: [Doh] WG Review: DNS Over HTTPS (doh)

Toerless Eckert <> Wed, 20 September 2017 15:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C90F4132705; Wed, 20 Sep 2017 08:15:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CAzNzwHB0FWg; Wed, 20 Sep 2017 08:15:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2CFEE1321A0; Wed, 20 Sep 2017 08:15:03 -0700 (PDT)
Received: from ( [IPv6:2001:638:a000:4134::ffff:77]) by (Postfix) with ESMTP id 672F058C4BF; Wed, 20 Sep 2017 17:14:59 +0200 (CEST)
Received: by (Postfix, from userid 10463) id 3919CB0CC42; Wed, 20 Sep 2017 17:14:59 +0200 (CEST)
Date: Wed, 20 Sep 2017 17:14:59 +0200
From: Toerless Eckert <>
Cc: IETF-Announce <>,
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <>
X-Mailman-Approved-At: Fri, 22 Sep 2017 08:31:29 -0700
Subject: Re: [Doh] WG Review: DNS Over HTTPS (doh)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Sep 2017 15:15:10 -0000

On Fri, Sep 15, 2017 at 08:44:53AM -0700, The IESG wrote:
> Specification of how the DNS data may be used for new use cases, and
> the discovery of the DOH servers, are out of scope for the working group.

I disagree on this becoming a working group unless the charter says either:

a) Discovery is in scope

I have no specific preferences of what discovery is done, i just
think that the security discussion needs to take the discovery being used
into account. I can already see how DoH clients will just use some
configured IP address for the DoH server and accept whatever self-signed
TLS certs are being offered. And the industry thinks its great security 
improvement because it uses TLS. I am sure there are enough people willing
to work on DoH that would be able to write down how to do that discovery piece
more securely, so why stop them doing it by writing "out of charter".


b) Security is optional. The documents will sprinkle some security fairy
dust in by mandating simple buzzwords like TLS Vmax so we can escape further
security discussions.