[Doh] Associating a DoH server with a resolver

Paul Hoffman <paul.hoffman@icann.org> Tue, 23 October 2018 20:15 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 0E906128D0C for <doh@ietfa.amsl.com>; Tue, 23 Oct 2018 13:15:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 0dpbH9xncxmk for <doh@ietfa.amsl.com>; Tue, 23 Oct 2018 13:15:42 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49E881277C8 for <doh@ietf.org>; Tue, 23 Oct 2018 13:15:42 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org ( by PMBX112-W1-CA-1.pexch112.icann.org ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 23 Oct 2018 13:15:40 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1367.000; Tue, 23 Oct 2018 13:15:40 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: DoH WG <doh@ietf.org>
Thread-Topic: Associating a DoH server with a resolver
Thread-Index: AQHUaw0qmaDMo9mkR0G5BSKkl0jQpQ==
Date: Tue, 23 Oct 2018 20:15:39 +0000
Message-ID: <02C39DFD-9550-447D-B00E-702B441A88BE@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; boundary="Apple-Mail=_73DA4EB4-FE7F-4E98-A208-61CD6EE4B2A8"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/w07eNgdSMGddQ8QjdQZjaa42lmY>
Subject: [Doh] Associating a DoH server with a resolver
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2018 20:15:44 -0000

Post-RFC-publication greetings. One of the topics that has been active in the DNS community since the standardization of DoH is how a browser or web application could use the resolver that the operating system on which it is running as a DoH server, or at least to use a DoH server associated with that resolver. I have taken a few stabs at designing a protocol to make it possible to fulfill that need; the result is the draft below.

The draft is still in a very early stage. In fact, I've changed the underlying mechanism three times already because I forgot what browsers and operating systems could not do. I *think* the current draft is possible, but would not be surprised if someone pointed out that even this attempt is wrong. Regardless, the desire for such functionality seems strong.

Also note the Security Considerations section of the draft. In short: all this gives you is opportunistic encryption because (I believe) we can't get any better now. I would be happy to be wrong about that, of course.


--Paul Hoffman

A New Internet-Draft is available from the on-line Internet-Drafts directories.

        Title           : Associating a DoH Server with a Resolver
        Author          : Paul Hoffman
	Filename        : draft-hoffman-resolver-associated-doh-04.txt
	Pages           : 8
	Date            : 2018-10-23

   Browsers and web applications may want to know if there are one or
   more DoH servers associated with the DNS recursive resolver that the
   operating system is already using.  This would allow them to get DNS
   responses from a resolver that the user (or, more likely, the user's
   network administrator) has already chosen.  This document describes a
   protocol for a resolver to tell a client what its associated DoH
   servers are.

The IETF datatracker status page for this draft is:

There are also htmlized versions available at:

A diff from the previous version is available at: