On Oct 3, 2012, at 7:42 AM, Paul Wouters <[email protected]> wrote:
> On Wed, 3 Oct 2012, Paul Hoffman wrote: > >> I fully agree with all of this, but it leaves the question: what about >> tunneling DNS in TLS-over-HTTP? The earlier statement about why this would >> not work (corporations getting MITM certificates from bad actors in the root >> pile) doesn't actually apply because the client will have a single TLS trust >> anchor, possibly even one not even in the root pile. > > Why would the client even need a single trust anchor for this? For non-validating stubs. > Current unbound dns-over-tls completely ignores the TLS. It is only used > to get out, not for any type of authentication of transport or data. Right: a validating stub who is using HTTP-over-TLS only as tunneled DNS transport has no need to known the identity of the other party. --Paul Hoffman _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
