[Dnsmasq-discuss] [Doh] Implementation of DOH in dnsmasq

Mateusz Jończyk mat.jonczyk at o2.pl
Fri Jun 29 16:33:30 BST 2018


W dniu 20.06.2018 o 10:57, Geert Stappers pisze:
> On Wed, Jun 20, 2018 at 10:11:53AM +0200, Nicolas Cavallari wrote:
>> On 14/06/2018 22:32, Kurt H Maier wrote:
>>> On Thu, Jun 14, 2018 at 09:38:42PM +0200, Mateusz Jo??czyk wrote:
>>>>
>>>> How difficult would it be to add support to DNS over HTTP/2.0 in dnsmasq, for
>>>> example in constrained environments like home routers?
>>>>
>>>
>>> This should be handled with a wrapper program.  HTTP/2.0 is an enormous
>>> and ill-defined specification and it would not be appropriate to bolt it
>>> directly into dnsmasq.  A dedicated HTTP/2.0 daemon can talk to dnsmasq
>>> on the backend to provide this service.  Home routers are not
>>> particularly constrained in this regard, since they generally have web 
>>> services running to begin with.
>>
>> It's much more than that. To be secure, TLS requires time, entropy and a CA
>> list. Many home routers fails at having all three, or require the DNS to get
>> time and CAs...

DOH server certificate could be provided together with the DOH server IP.

Thank You. So, as has been said above, implementing HTTP/2.0 may be more
difficult then implementing HTTP/1.1.

I would therefore propose to add the following text to the DOH draft (at the end
of section "HTTP/2"):

	However, older versions of the HTTP standard are simpler to implement,
	and have enough capabilities for limited capability servers on embedded
	devices so DOH clients SHOULD be able to use DOH servers that support
	only older version(s) of the HTTP standard, such as HTTP/1.0 {{RFC1945}}
	and HTTP/1.1 {{RFC7230 - RFC7235}}.


>>
>>>> Please send any replies to the DoH mailing list at <doh at ietf.org>.
>>>
>>> Why?

I asked this just for the sake of convenience.

Greetings,
Mateusz Jończyk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20180629/b6eb8dd7/attachment.sig>


More information about the Dnsmasq-discuss mailing list