DNS Over HTTPS
charter-ietf-doh-01

In my first ballot, I mentioned "What I've been failing to understand from the charter is the rational for DNS over HTTPS? Can you expand on this." Because I'm not an Web browser and DNS expert, or most likely because the concerns were not clear in my head, I could not clearly express my thoughts.

So I watched the IETF mailing list with attention.
Mark Nottingham's email summarized the situation

    It's not a matter of constraining the work; the work isn't proposing to operate even remotely in the way that you describe. I think we're just having a misunderstanding, because people have multiple use cases in mind for this protocol, and properties thereof have been mixed up.

    AIUI those use cases are, roughly:

    1. Configure your browser/OS to use a DOH service for DNS resolution (as above) -- this will affect browser/OS state, because it's being used for DNS; however, it's not being done from JS.

    2. Call a DOH service from Javascript (for some reason) -- note this is just like any other HTTP request; it doesn't affect browser/OS state outside of the same origin model. Yes, you can still build a browser-in-a-browser and mess with things inside that context, but that's already true today.

    3. Future handwavy things like making DNS updates over HTTP -- very ill-defined and not important for this discussion

Expressing #1 and #2 in the charter would have helped me. #2 is kind of present now.
What about the addition the notion of "browser and/or OS" in the next sentence?

The primary focus of this working group is to develop a mechanism that
provides confidentiality and connectivity between DNS Clients and Iterative
Resolvers.

I think this new text about JS is going in the right direction, but perhaps it straddles the line too much.

Say that -- contra the text here -- we discovered some respect in which it was more convenient to design the protocol in a way that made JS break. Would the charter require us not to do that? I think the answer is "no", but I just want to verify that.

(I would be a Yes, but I don't want to be the first one)

Thanks to everyone for the spirited review to date. I think the changes are headed the right direction. I trust that will continue.

I have one nit. In this text,

"The specification of how to discover DOH servers via mechanisms currently used
to discover other DNS servers (e.g., DHCP and Router Advertisements) may be
considered by the working group if the chairs determine that a sufficiently
large mass of working group participants exist who are willing to edit and
comment on documents regarding such mechanisms."

is "large" the best word to describe what you're expecting the chairs to be assessing?

:-)