Re: [Doh] panel discussion on DoH/DoC

Shane Kerr <> Thu, 07 February 2019 13:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 152F612950A for <>; Thu, 7 Feb 2019 05:16:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fA2XYmjm7LAz for <>; Thu, 7 Feb 2019 05:16:06 -0800 (PST)
Received: from ( [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 76F391294D0 for <>; Thu, 7 Feb 2019 05:16:06 -0800 (PST)
Received: from [2001:470:78c8:2:65fc:c318:cd2d:2bb1] by with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1grjYL-0005mN-Qr for; Thu, 07 Feb 2019 13:17:17 +0000
References: <> <> <> <>
From: Shane Kerr <>
Message-ID: <>
Date: Thu, 07 Feb 2019 14:16:03 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [Doh] panel discussion on DoH/DoC
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Feb 2019 13:16:08 -0000


On 07/02/2019 14.08, Ted Lemon wrote:
> On Feb 7, 2019, at 8:03 AM, Stephane Bortzmeyer <> wrote:
>> The protocols are not innocent (they enable, they encourage, they
>> discourage) but they are not everything either. The dominance of Gmail
>> is not written in RFC 5321. DoH helps DoC ("helps", not "enables", DNS
>> over HTTPS was possible before), it does not decide DoC.
> Of course, but in fact it appears that one of the primary use cases for DoH is DoC.   I would have thought that the primary use case for DoH was to bypass network censorship, but when I suggested as much during the discussion on the draft, the response I got suggested that the authors really hadn’t had that in mind, and that indeed the use case they had had in mind was DNS resolution in HTTP sessions by Javascript clients.   Which is, pretty much, DoC, although not the use case that subsequently emerged, where browsers do it instead of using the local resolver.

In theory one could send DoH queries to the server where you were 
getting an HTML page from, for any names that need resolution on that 
page. This would be a anti-DoC, indeed probably more decentralized than 
DNS itself is today.

If this model requires DNSSEC then it's not even that horrible, since 
web server operators would not be able to spoof or hijack DNS names.