Re: [Tsv-art] [Ext] [Doh] Tsvart last call review of draft-ietf-doh-dns-over-https-13

Paul Hoffman <> Sat, 11 August 2018 23:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BB2F3130E66; Sat, 11 Aug 2018 16:44:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hcFSvEMxj2QM; Sat, 11 Aug 2018 16:44:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A797A124BE5; Sat, 11 Aug 2018 16:44:32 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Sat, 11 Aug 2018 16:44:31 -0700
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1367.000; Sat, 11 Aug 2018 16:44:31 -0700
From: Paul Hoffman <>
To: Fernando Gont <>
CC: "" <>, "" <>, DoH WG <>, IETF Discussion Mailing List <>
Thread-Topic: [Ext] [Doh] Tsvart last call review of draft-ietf-doh-dns-over-https-13
Thread-Index: AQHUMc0/uJzctOZAvUuMiBoCYe5/vw==
Date: Sat, 11 Aug 2018 23:44:30 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Tsv-art] [Ext] [Doh] Tsvart last call review of draft-ietf-doh-dns-over-https-13
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Transport Area Review Team <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 11 Aug 2018 23:44:36 -0000

On Aug 11, 2018, at 3:56 PM, Patrick McManus <> wrote:

> * Page 16:
> >    A DoH server is allowed to answer queries with any valid DNS
> >    response.  For example, a valid DNS response might have the TC
> >    (truncation) bit set in the DNS header to indicate that the server
> >    was not able to retrieve a full answer for the query but is providing
> >    the best answer it could get.  A DoH server can reply to queries with
> >    an HTTP error for queries that it cannot fulfill.
> Why should this happen? Why not encode this information in the encoded DNS
> response (in wire format)'

There was a lot of discussion in the WG about this. The result was similar to what Star replied: let the semantics of the inner protocol (DNS) retain their exact meanings, and let the semantics of the outer layer (HTTP) retain their exact meaning. A DoH client is expected to understand DNS errors *and* be a real HTTP client that can deal with normal HTTP semantics.

On Aug 11, 2018, at 4:19 PM, Fernando Gont <> wrote:
> What I had in mind when making this comment is this: There seem to be
> anycast resolvers implementing DoH (e.g., CLoudflare's and others, if I
> understand correctly). Giving them the responsibility for DNSsec
> validation would seem to me as giving them way too much power (i.e.,
> what if they were compromised and/or went evil?)

DoH clients are no different in this regard than normal DNS (port 53) or DNS-over-TLS clients. Any of the three types of DNS client can do its own DNS validation by asking for the supporting DNS records; DoH by design doesn't change this at all. But to be clear, the ratio of end clients that do their own validation is still incredibly small.

>>    * Page 15 (Security Considerations):
>>    DoH essentialy switches from a connection-less transport (UDP) to a
>>    connection-oriented one (TCP).
>> I disagree a bit. It adds a third TCP based DNS based approach to the
>> DNS over TCP and DNS over TLS approaches already standardized so it is
>> not breaking new ground in that sense.
> To put it in a different way:
> * What would be the impact if an attacker were to DoS TCP-based
> resolution in the traditional case? (i.e., while UDP-based resolution
> still works)
> * What would be the impact if an attacker were to DoS (HTTPS/)TCP-based
> resolution in the DoH case?
> If the impact were the same, then just say that, and no need to worry.
> But my understanding is that in current deployments you normally only
> fall back to TCP when the UDP response was truncated, whereas with DoH,
> you rely 100% on TCP.

DoH servers do not need to reside on the same hosts as DNS/UDP or DNS/TCP servers. Cloudflare happens to do so, possibly due to address cuteness, but there is nothing in the protocol that says they should. The impact on DoH server on attacks is identical to the impact on attacks on normal TLS-based web services.

> I don't mean you need to elaborate on how to defend it. JUst noted that
> if you completely get rid of UDP-base resolution, then the TCP one (in
> this case DoH) becomes even more critical, and the impact of a DoS
> against TCP-based resolution is higher. And defending a stateful
> protocol like TCP against resource exhaustion attacks is non-trivial.

DoH is never expected to "get rid of UDP-based resolution". The use cases for DoH are very much a subset of the use cases for general DNS resolution, and that will be UDP-based for the foreseeable future.

> Maybe I'm a bit confused. If, on the same connection, I send a request
> to resolve "A" and subsequently a request to resolve "B", the result of
> the later might come before than the result of the former? (I'm trying
> to understand what the "ordering guarantees" that are not provided with
> DoH).

Yep! This is why the DoH WG has been such a good learning experience for DNS folks about the modern HTTP world, and for HTTP folks for the modern DNS world. We're not all holding hands and singing kumbaya yet, but at least we understand better the weirdnesses that the others take for granted.

--Paul Hoffman