Re: [Doh] [EXTERNAL] Re: [Ext] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh

"Winfield, Alister" <> Tue, 22 January 2019 14:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8B942124C04 for <>; Tue, 22 Jan 2019 06:04:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.553
X-Spam-Status: No, score=-6.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0wBc7JgoKGIg for <>; Tue, 22 Jan 2019 06:04:48 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B73D71200D7 for <>; Tue, 22 Jan 2019 06:04:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PJmreqjnvy5svesdeFf4U6gz+dXYsjL0QCd+wyISjfQ=; b=ZlYykDKbLlZYnyGhx2vOUXAZui1UifIAMu7p1zFtUXI4lhHN+Rh9e1L1t7O47/Af3QS7EzsboYzLT9/6HWMGMxapsQ1dC06QreC3FY3t3UrgFASyAKb0DSnGDCIE5FqT7Des82aQptSprm327JqAlALMgAx21AlyP2tnSwEikLI=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.27; Tue, 22 Jan 2019 14:04:44 +0000
Received: from ([fe80::b5e6:9692:98b9:83]) by ([fe80::b5e6:9692:98b9:83%6]) with mapi id 15.20.1537.031; Tue, 22 Jan 2019 14:04:44 +0000
From: "Winfield, Alister" <>
To: Jim Reid <>
CC: DoH Working Group <>
Thread-Topic: [Doh] [EXTERNAL] Re: [Ext] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
Thread-Index: AQHUslEIlnzst8DIDkS2zkVSxN7g/KW7UjcA
Date: Tue, 22 Jan 2019 14:04:44 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB6PR0601MB2167; 6:a/+DxY1UAxxlwr0psqm8grqz1MyFXP7yM+v6a/ufB3QkqLL+VAJomcp2Qw960qwmcjb87fj4hTsR3+/6/3HroR7JYsx59pGC6SboNL9AH/n/eL/oXKugSS/yPC5GI9jQ21JJvdEE/bo+MawaWlttWawGkFH2Wn7kl87mQhcqBPvI0rfEZEbb+5eLzqGIBcqNmAtmWqhpXHEuEF7NlUhC0+5ESWYKOo7rdV9BJuPIZva6saYcDsCBcezCW+NsSmsL6sHgaAny+8pOuzIyWKmZ9BUzPetzcN7SYPdfIJclEE5s5e7Ozq0OF8I4tYsd5xQzxaB0+94bWVzDjV+HQQVKMNXTC0uye6IZPiAColrN87MsB1N6+y0NvBVbRmoGeQZkADUgvOuTiy5KCrvSdxGQjJkDu3dGi/5QJnnoVUJn+ght8hI6Ec7E4pGaRycwEVNAVsUcSuw2wNDZV5bCprqaKg==; 5:6ZIVclPgn0vSd+0lLbuiCpt9L5QfcDg6hvQKl6aMFpZGyidByPLiGjpqFgI/jxa4I05SV3HUk9vkSeSKt2faz5P/jCr6aiyWzBkPBHsKp9+xjsqzqtnbp95aszPrRvetuX1nAPhSNusU9/jCmJzJBKHM65w3QD5nmHAnhE2jFl+q1ktKcFIuHK6W4Vu5ihsiWrbpCAtIe6ZrzMmqDMsniQ==; 7:zqoq5x9e8L2HHpPep0+txfi4CgwT4YAlaBztcg+jYXPxTeLKXlbW3sJHxQx2OMKYZdXCH9WfvZcaaq+MESJMptKZyWx34XZHVp6QzuT/+DQPrWUkwfAHSra1g4gPEN0UVo2yN97SgeKFKqw6EjJ+4w==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 21697d0b-00d3-4065-6f6f-08d680728fcc
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:DB6PR0601MB2167;
x-ms-traffictypediagnostic: DB6PR0601MB2167:
x-microsoft-antispam-prvs: <>
x-forefront-prvs: 0925081676
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(136003)(396003)(39860400002)(366004)(189003)(199004)(446003)(256004)(14444005)(5024004)(8936002)(6512007)(81166006)(2906002)(81156014)(316002)(54075001)(8676002)(58126008)(2616005)(86362001)(14454004)(11346002)(82746002)(476003)(93886005)(74482002)(72206003)(478600001)(97736004)(6916009)(7736002)(83716004)(305945005)(186003)(4326008)(33656002)(6506007)(71200400001)(53546011)(26005)(6486002)(33896004)(71190400001)(486006)(68736007)(53936002)(102836004)(6436002)(6116002)(3846002)(66066001)(99286004)(36756003)(25786009)(6246003)(105586002)(106356001)(229853002)(76176011); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0601MB2167;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 6wuHob3Omr2jfgEndm/rIMdSTNR1vgs47tYZcdAziG8UglQQSFjv2qtOFzwB+Zj01J2YjQloScIpk/2lMwk7ZS6vn/Hh4aCp8tZiJZKUaGwzAHKliUaFnhw+l2NM0tLw8Ym4aO+G6HwrV3RDOeYcs2LI21qndd9PLJGGKRqB73Zqq3n1Ek7KkHVzuegPGdmaF48mDixpn+7EhTXcpgVfjTWjD8rGTAkm7gM/y3q7IL/uzCRxYhBIMn2GV6KDzS2OMSj3Fm55kiaLrTAnzJrFX9Zfn0vCtg78dz0Yk13LZP6MY40ZsCcWsZRPt6nFSUDDLGA0/TVu9O5h9vfiz1q9YwrOS2zORAQJ3LXUC1OMptlIw5dDYwqCS9efCyOixEFOkleoc787WHFW/AIV4nkPy2NR6iQv+atbegCpl7OaVqk=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 21697d0b-00d3-4065-6f6f-08d680728fcc
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jan 2019 14:04:44.5940 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68b865d5-cf18-4b2b-82a4-a4eddb9c5237
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0601MB2167
Archived-At: <>
Subject: Re: [Doh] [EXTERNAL] Re: [Ext] Request for the DOH WG to adopt draft-hoffman-resolver-associated-doh
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 22 Jan 2019 14:04:50 -0000

I agree just looking at where information 'could' reside use available information and be signed using existing mechanisms. Note, I hate TXT too, NAPTR (+ SRV)  is closest to the requirement in the existing RR types but even that isn't perfect.

Issues this needs to show:
The security of the discovery mechanism,
How a discovered DOH end-point can be trusted (This is related to what the end-user believes is required to trust the TRR. Clearly some trust their ISP others would trust Google yet more would only trust their corporate DNS service)

Is there anywhere thoughts on how to define 'trust' and how that is published, audited, etc especially when you consider this form of discovery of a DOH capability?


On 22/01/2019, 12:50, "Jim Reid" <> wrote:

    On 22 Jan 2019, at 12:15, Winfield, Alister <> wrote:
    > how about putting the information in the reverse zone for the resolver.
    >  ... This is delegated and could be DNSSEC signed.

    It won't work for RFC1918 address space.

    The bootstrapping problem isn’t solved either. Presumably you’d still be relying on DHCP or something equally insecure to get the IP addresses of the resolving servers.

    If a stub resolver gets configured in some other way -- editing /etc/resolv.conf for instance -- that might as well include whatever voodoo is needed for trusted DoH or DoT servers.

    And what if that reverse zone isn’t signed?

    Then there are the issues when that zone isn’t managed by the same entity which manages the corresponding forward zone. This is quite common. For example, if I was a Sky customer I very much doubt I’d be able to add/remove/replace one of these hypothetical RRs in whatever Sky reverse zone happens to be “hosting” the IP address of my DoH server today. And if/when I reconnect to your net and get a different IP address, what happens to the old TXT record?

    > If my resolver is a.b.c.d then you could put TXT records in the reverse..

    That’s a Bad Idea. TXT records are already overloaded (abused?) for all sorts of things. A discrete RRtype would be better. Assuming this suggestion got picked up.

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD