On Tue, 12 Feb 2019, [email protected] wrote:
In this way, the whole DNS is built on HTTPS which makes DNS more secure.
DNSSEC is not necessary anymore and many other
problems like fragmentation also will
not exist.
This idea is similar to DNScurve. The problem is that channel security
does not help when you have an infrastructure of DNS caches, as nothing
in the cache can be used to validate the content.
djb's solution to this problem was to obsolete the cache, and at the CCC
conference he then threw around numbers that "claimed" caching is not
working or needed, and was proven wrong by me showing some cache
percentages of real DNS servers.
DNSSEC provides origin protection, and digital signatures are needed,
which TLS does not offer.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
