Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator

Brian Dickson <> Thu, 21 March 2019 22:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7B1D2124BAA; Thu, 21 Mar 2019 15:29:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jjVRm5zHLCPL; Thu, 21 Mar 2019 15:29:25 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0F84C124B16; Thu, 21 Mar 2019 15:29:24 -0700 (PDT)
Received: by with SMTP id k2so506041qtm.1; Thu, 21 Mar 2019 15:29:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AGPZD6eh8W23qH5JFcBXcsEPFu/xlURzHeTMV8SMZns=; b=oJeEJFHcq/3gkLt/xFKipsyBDscb0eFT7iuhiJwrHlqofnw8SikGp+MD10BM7LOJo0 mPAuDNMlrjUjhrW3GBdFsHcKJPF5/m7hOYvDZJI+KWYKKWlT21xX5Sce9wnAxxUOgQwM hD6jcwpGa2E6tjvn3LCZHOcN/7D65fGm2dTwb8natpRI683UOkoz8AG2oosOJ0cele+4 98Xdv2mdz7O4Qm7gbYA/mUBAR3UoQQozKdicTCzbNTvUCKEHpbUJOFqRS5WAKv7+3qij Sr9Fmy+R6jpla7To8MDE9mS0KapJUKr5Ma6Sfg+36sIpcD2ZIlGwhqPjSJud3GyVYzfk ypjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AGPZD6eh8W23qH5JFcBXcsEPFu/xlURzHeTMV8SMZns=; b=PzoEzP2BmsQlIKxfye5Ve+5ASP2ZoLCx+9HtlCFZ9ePV7bQ3TlFvf5hixzkj+mjeLk DADdqHnojP/7Y4VY2DsF983p6ZrRn6+/OCVECOnCgZvjty/YSJ/71SH/0KuOZPBemO/j w2nv+/CVUxSwzSjQaTQp2VJnk5EDEVt+FUUFCfZluzqrZKXc2p76xqT2uwPrRLyL0ygm EBgdke0twfxsoj3w0+v0KDJ7aYSQ8x/FCI20hgLFp1DMTfrhqBrDiPNELXNNTLYIR/Bz uqkEtaTZsAKp/0Cdq+bNb6ZDHj/KzPas59x9Hj437/YJRZry0jKl6+kXuDlaBHET0r92 doKg==
X-Gm-Message-State: APjAAAXNJ/x1y+7bFeYnRiz6MRPQCTMZkOhjlRsf8ZHh8lrUr/TtMssT ObF/l6PwkSGu479YS7pu4F5H+zw46eNCtq/7mdg=
X-Google-Smtp-Source: APXvYqxrt6G5OvoJK+uH1cSw0UQnDmcMb+WrJu0HpO1jGxFzx73XnglN93W1Wiqgg/YaFW4rt70OgOiAMKsBgmToEtE=
X-Received: by 2002:ac8:1707:: with SMTP id w7mr5194975qtj.324.1553207364165; Thu, 21 Mar 2019 15:29:24 -0700 (PDT)
MIME-Version: 1.0
References: <> <1914607.BasjITR8KA@linux-9daj> <> <1900056.F7IrilhNgi@linux-9daj> <> <> <>
In-Reply-To: <>
From: Brian Dickson <>
Date: Thu, 21 Mar 2019 15:29:12 -0700
Message-ID: <>
To: Jacques Latour <>
Cc: Ralf Weber <>, Ted Hardie <>, dnsop <>, DoH WG <>, Paul Vixie <>
Content-Type: multipart/alternative; boundary="0000000000003425570584a24546"
Archived-At: <>
Subject: Re: [Doh] [DNSOP] New I-D: draft-reid-doh-operator
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Mar 2019 22:29:27 -0000

On Thu, Mar 21, 2019 at 3:03 PM Jacques Latour <>

> Plus!
> Is anyone looking at adding DoH and DoT servers as part of DHCP/SLAAC?  So
> the local resolver and apps and browsers can go the _appropriate_ name
> resolution resource(s) using the protocol of choice. That would be much
> simpler for default configuration in enterprise and ISP.
I think that is a good starting place for the side meeting discussion.

However, I think a more expressive configuration might be needed, to
actually provide information to clients for them to configure themselves
and/or make decisions.
E.g.: In DHCP, provide one or more of the following kinds of announcements
or assertions:
- ISP does not allow use of DoH to off-net providers (aka DoH:NONE)
- ISP allows use of DoT to off-net providers (aka DoT:ANY)
- ISP provides a DoT server which inspects DNS queries and/or answers, but
does not record or export any information (aka DoT:<IP>,PRIVACY:YES)
- ISP provides a DoH server which inspects DNS queries and/or answers, and
records and exports per user data, keeping data for N days (aka DoH:<IP>,
- ISP provides validating DNSSEC UDP only (aka DNSUDP:<IP>, DNSSEC:VALIDATE)
- ISP provides non-validating DNSSEC UDP, allows TSIG (aka DNSUDP:<IP>,
- any other relevant stuff (DNS cookies, TCP stateful, all the newest and
shiniest stuff.)

- Then, a client could pick and choose among available options, based on
some kind of pre-configured preferences, like REQUIRE:PRIVACY,

I realize, expressiveness adds complexity. However, it does avoid
assumptions and overloading.

The main criteria is agreement on client vs server (i.e. standardize this
stuff), and possibly also add the network as another party involved (for
upstream transit ISP vs local ISP), if they have differing policies for
allowing offsite/third-party DoH or DoT.


> >From: DNSOP <> On Behalf Of Ralf Weber
> >You can not get on a network with at least trusting some of its
> infrastructure, be
> >it SLAAC or DHCP (which BTW both carry information for DNS resolving). The
> >question is where you draw the line and IMHO DNS or name resolution is a
> basic
> >network function and not an application setting.
> >
> _______________________________________________
> DNSOP mailing list