In article <52cd41c4-2558-27a5-42fb-70bccc5a8823@xxxxxxxxxxx> you write: >On 9/22/2017 9:24 AM, Warren Kumari wrote: >> If Doh! is done right in my view it should be indistinguishable from >> other web traffic and / or the collateral damage from blocking it >> would be (hopefully!) politically untenable. > >DoH! That is indeed the main reason for doing DNS over HTTPS. The >"javascript" use case is interesting, but not all that strong. We keep >hearing about Java Script in web pages, but that's somewhat marginal. I want this thing specifically so I can do DNS queries from Javascript. My concrete example is RDAP: the obvious way to discover the RDAP server for a TLD would be a SRV or URI lookup, but many people told us that their RDAP clients are written in javascript and can't do DNS lookups. So we ended up with a kludge, a file of JSON at a fixed URI at IANA. A similar application would be the stuff I proposed in DBOUND, info that could be in the DNS but instead is in text files in large part because looking in the DNS is hard. In this kind of application I'd make the DNS calls back to wherever I got the page with the Javascript, which has a very straightforward security model. (If it lies about the DNS responses, it can equally well send out Javascript that lies in the pages it constructs.) Everything else is a side issue. R's, John