that's ture. but in my view, if the trust chain is built, we can ensure a resolver(or a cache) is always talking to a identified server and the channel is always secure, then the content could not be tampered.
[email protected] From: Paul Wouters Date: 2019-02-12 22:07 To: [email protected] CC: dnsop Subject: Re: [DNSOP] extension of DoH to authoritative servers On Tue, 12 Feb 2019, [email protected] wrote: > In this way, the whole DNS is built on HTTPS which makes DNS more secure. > DNSSEC is not necessary anymore and many other > problems like fragmentation also will > not exist. This idea is similar to DNScurve. The problem is that channel security does not help when you have an infrastructure of DNS caches, as nothing in the cache can be used to validate the content. djb's solution to this problem was to obsolete the cache, and at the CCC conference he then threw around numbers that "claimed" caching is not working or needed, and was proven wrong by me showing some cache percentages of real DNS servers. DNSSEC provides origin protection, and digital signatures are needed, which TLS does not offer. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
