Re: [Doh] A question on the mix of DNS and HTTP semantics

Ted Hardie <> Sun, 18 March 2018 11:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4AEC01243FE for <>; Sun, 18 Mar 2018 04:24:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Xc1ZyTyd1X_e for <>; Sun, 18 Mar 2018 04:24:50 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c0f::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8E97D1242F5 for <>; Sun, 18 Mar 2018 04:24:50 -0700 (PDT)
Received: by with SMTP id y11-v6so14654962otg.0 for <>; Sun, 18 Mar 2018 04:24:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jcHm4E96n96nbcYYYXudJGu50lrTT0Fz5mdkc6WPieI=; b=D2+p3UyL2Wqrr9aKRhrXQhm2ThKsstVGxwvIZdTBHQoETwuJmmqghSgluwbjMKLF+D W7nHE5Sp0P1aP5FOSRgSSbbHTfqns7fc5DCErOozK8qi9pSeG3XDcMV3I2PHXkQkw1lv UEDrtXY3z1h7OBSRtePRfgo5M3O4VnuglXanj+kywB/PGrqbNWKBBHaXFXS8LkyPZ6vH kJY4DhJ7vuURDnJeIxEmJNfC/jSGVynAraWirsWw+Y4Ho/YMnWdgHDBeH32LP62R4vPL YkgPSXhWM6dy/goyou3LjBDf0XZrSZDDwFu4RNK4SKsMuL7K7et4p5QpBACHEykXu5LX hrFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jcHm4E96n96nbcYYYXudJGu50lrTT0Fz5mdkc6WPieI=; b=pJO0l8N0mpOMePyJJd2QEQcnFVfq8EBygUShJ+uohQuU7IFveTzh08PDl58VyrvoC0 kVjXccKKsXRQ36Y0NDZAgVflPe/VhY3us3OU9902rwD5WwuEgO+wyex0RWhnH0ItDq3l Di0mNuG72GpMCO0/tlpibxl5nw5caTtl3Zyl0zd7Mb9PV8a1Vh1OpgXLa76S/xBilxdS fRiYhpKXOoxQ/WWomCuYMGzyIjAiuzL9odhmzLAX7B4Cyh/t6hxc2rjk8YSXP0yu2Ub5 Qngo5GX4VOM+wr9XxgNnSCFpX+dj7xpog8Kuj2VSt2EfSs8uE3yHgXTD4FUUcrn0WPfF KX/Q==
X-Gm-Message-State: AElRT7FPklJMXLZSwNMwpZvYfrdkPWQ+souuVBnOdI6mV89Xpaemd5P2 p6wzEPAVKBvvIa+OxICD9UVl5jV3uJT53TFcIAR34w==
X-Google-Smtp-Source: AG47ELshkkc4opjpiMkMbDpYISbuQuRQk9uNcmb2IfQYOQLRSK7PmXhIUu4Fy3lVYwhHtJiUtxSKDKa3xtmvKWJrfpE=
X-Received: by 2002:a9d:fa1:: with SMTP id d30-v6mr695940otd.18.1521372289650; Sun, 18 Mar 2018 04:24:49 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Sun, 18 Mar 2018 04:24:19 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Ted Hardie <>
Date: Sun, 18 Mar 2018 04:24:19 -0700
Message-ID: <>
To: Ben Schwartz <>
Cc: Patrick McManus <>,
Content-Type: multipart/alternative; boundary="000000000000e557df0567ae1608"
Archived-At: <>
Subject: Re: [Doh] A question on the mix of DNS and HTTP semantics
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 18 Mar 2018 11:24:52 -0000

For some reason, I am seeing Ben's reply, but not Patrick's mail.  Replying
to this as a result.

On Sun, Mar 18, 2018 at 3:19 AM, Ben Schwartz <> wrote:

> On Sun, Mar 18, 2018 at 5:22 AM, Patrick McManus <>
> wrote:
>> Hi Ted, thanks for writing this down. I think I understand it a bit
>> better now.
>> I think the most relevant point is that DoH is the use of HTTP as a
>> substrate. As a user of HTTP RFC7231 is very relevant (HTTP status codes)
>> On Sat, Mar 17, 2018 at 5:42 PM, Ted Hardie <> wrote:
>>>   In particular, the HTTP semantics for redirection (e.g. HTTP response
>>> 307 or 308) and client error (e.g. HTTP response 403 or 451) may be
>>> difficult to map back into DNS errors when the target is a traditional DNS
>>> client.
>> 7231 defines 2xx as success.. If your code is not 2xx then your DoH
>> request did not succeed and you can feel confident in saying that you do
>> not have a dns response to the dns request that was made in the http
>> request. Conversely, a 2xx response needs to carry a DNS reply to your DNS
>> request. (now that can be a DNS failure - nxdomain, etc, but the 2xx at the
>> HTTP level is saying a valid DNS response to your request is contained
>> therein.. i.e. DoH has succeeded).
Saying something in the document like "only 2xx response codes will carry
response bodies with DNS UDP wireformat" would be a short and sweet way of
saying that in the document, if there is working group consensus that this
is true.  Based on my conversations yesterday, I am not sure that there is
complete consensus on this point, though there may very well be rough

However, I don't think this formulation is quite enough:

> As noted above, if you don't end this process with a 2xx you don't have a
> DNS response to the DNS query of the original request - the transport has
> failed.

A pure transport failure may result in a retry.  There are some of these
responses which strongly indicate that such a retry will result in failures
(e.g. 403).  If you do not synthesize some message to the DNS client about
the type of failure,  and the server does not provide one, what part of the
system avoids the retry?