Re: [Doh] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh

bert hubert <> Wed, 23 January 2019 18:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7A193130EEC for <>; Wed, 23 Jan 2019 10:53:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1t9eoxhOl6Tb for <>; Wed, 23 Jan 2019 10:53:20 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 622F7131294 for <>; Wed, 23 Jan 2019 10:23:33 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTPS id 5C9229FD6E; Wed, 23 Jan 2019 18:23:25 +0000 (UTC)
Received: by (Postfix, from userid 1000) id 3D0F7ACC443; Wed, 23 Jan 2019 19:23:25 +0100 (CET)
Date: Wed, 23 Jan 2019 19:23:25 +0100
From: bert hubert <>
To: Paul Hoffman <>
Cc: DoH WG <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Subject: Re: [Doh] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 Jan 2019 18:53:23 -0000

On Wed, Jan 16, 2019 at 12:25:55AM +0000, Paul Hoffman wrote:
> So, does this WG want to adopt this as a work item?

Yes. My reasoning is as follows. Even though it is a challenging subject,
if we don't do it bad things will happen. As long as there is no way to
associate a network with an encrypted DNS provider (DoH in this case), we
can not rebut the argument "we simply HAVE to centralize the DNS on this
cloud provider because there is no alternative".

Regardless of what we think about the desireability of centralized or
decentralized DNS, it is never good if there are no options.

So I hope we can give this a very hard think to see what we can come up

To stimulate the discussion a bit, it turns out browsers already contain a
list of providers they are willing to trust. It may be that the solution for
provisioning DoH securely also involves having a list of providers who are
allowed to provision DoH.

The existing list of trusted parties that can (not) be trusted is of course
the list of trusted certificate authorities.