On Thu, Feb 14, 2019 at 04:31:35PM +0800, [email protected] <[email protected]> wrote a message of 74 lines which said:
> > for instance a DoH or DoT server that intentionally or > > accidentally returns false data. DNSSEC can counter that. > > I dont understand why. > If a server intentionally returns false data , it can fake anything > because it owns the private key, DNSSEC does not help either. So, you seem to not understand DNSSEC very well. I suggest you read RFC 4033 and following. Summary: DNSSEC is designed so that the server does not need the private key. Also, "server" means two VERY different things in the DNS, resolvers and authoritative. DNSSEC protects also against a lying intermediary resolver. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
