Hi again,
Following up on my other mail, we'd like to understand if there's a good plan for how to handle ECH when curl is not using DoH. We're basically not at all sure if there's a good answer available here, but here's how we see the situation as of now. Be great to get feedback on this or corrections if we're making bad assumptions. There should be a use-case for ECH when DoH is not used by curl - if a system stub resolver supports DoT or DoH, then, considering only ECH and the network threat model, it would make sense for curl to support ECH without curl itself using DoH. My laptop for example uses a combination of stubby+unbound as the system resolver listening on localhost:53, so would fit this use-case. That said, it's very unclear if this is a niche that's worth trying to address. (I'm just as happy to let curl use DoH to talk to the same public recursives that stubby might use:-) But assuming this is a use-case we'd like to support... If DoH is not being used by curl, it's not clear at this time how to provide support for ECH. One option would seem to be to extend the c-ares library to support HTTPS RRs, but in that case it's not now clear whether such changes would be attractive to the c-ares maintainers, nor whether the "tag=value" extensibility inherent in the HTTPS/SVCB specification is a good match for the c-ares approach of defining structures specific to decoded answers for each supported RRtype. We're also not sure how many downstream curl deployments actually make use of the c-ares library, which would affect the utility of such changes. Another option might be to consider using some other generic DNS library (such as the getdnsapi) that does support HTTPS RRs, but it's unclear if such a library could or would be used by all or almost all curl builds and downstream releases of curl. So - does anyone have guidance as to what might be a good plan for adding ECH support to curl, when DoH is not used. Or, would you argue that's not really useful enough to warrant the work involved? Thanks again, Stephen.
OpenPGP_0xE4D8E9F997A833DD.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
