With dnssec yes. The publisher is then the only one in control. This is why it is so problematic that the browsers have pushed back instead of working with the dns people.
When personal VPNs became a thing, it didn’t take long for 90% of the VPN “apps” to become malicious, redirecting DNS, monitor DNS, change DNS. It will be the same with all the DoH and DoT services. Now more then ever do we need origin authentication that dnssec offers, and which is why I push back on everyone saying DoH/DoT offers a dnssec replacement. Sent from mobile device > On Nov 21, 2018, at 11:44, Christian Huitema <[email protected]> wrote: > >> On 11/20/2018 11:38 AM, Jacques Latour wrote: >> >> +1 & I don't like the path is going as well, and specifically from an >> enterprise security point of view. Having DNS resolution that can bypass >> traditional enterprise security mechanisms is adding another layer of >> complexity to manage, you can't have a free for all in domain name >> resolution in enterprise networks. I could go on, but I just want to say " >> I don't like the path is going". > > Maybe. Over time various entities have developed control techniques that > work by limiting which domains are resolved in a particular context, and > how they are resolved. But at the same time, the DNS is a widely > distributed database accessible through thousands of servers. Given this > wide availability, do you really believe that these control techniques > are stable in the long run? > > -- Christian Huitema > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
