Hi Stewart Bryant, Just to declare that I am not the core author of the draft, but I want to give my personal opinions on your questions. On Aug 4, 2018, at 10:10 AM, Stewart Bryant <stewart.bryant@xxxxxxxxx> wrote: > > I do not understand. How does a system that is using this as its DNS access mechanism find the IP address of the DNS service given only the name of the server? Yes, bootstrap is truly a problem. Currently we have (at least) 3 different ways to solve this problem: 1) Use a traditional DNS server for bootstrapping the IP address of DoH server. Firefox's TRR uses this method. In a common situation that DoH is run inside a browser, this is the mostly adopted solution. 2) Anchor the IP address but still uses the host name to refer the DoH server. A simple /etc/hosts will do. This is friendly to SNI and many other stuff, but with the drawback of difficulty to do load-balancing except by using TCP Anycast, which is much trickier than UDP Anycast. 3) Issue a TLS certificate directly with the IP address, and use the IP address directly to refer the DoH server. Cloudflare uses this method. But most CA does not issue certificates for IP address. And again TCP Anycast is difficult for most DNS providers. Also we lose the ability to dynamically update the address. There must be some more and better methods to solve the bootstrap problem. Do we really need to force the client to use one of these methods? > How about showing the mapping of this to a 1035 message using the parameters the coder would use. So for example some of that ascii is presumably the Name of the address being looked up. Nope, DNS wire format is a compressed binary format. It splits the domain name into labels, and use a dictionary-based method to compress the message. I don't think we need to explain how the message is encoded -- that was already described in RFC1035. Neither does the reader need to understand each byte of the message -- it is just an ordinary DNS message that you can produce with any DNS utility library.
