VladimĂr Cunat wrote:
Still, note that for some consumers the secure transport may be an argument to drop validating DNSSEC themselves.
Or, drop any PKI, because PKI is only weakly secure subject to MitM attacks on CAs.
If they choose some DNS provider that they trust with privacy (it might be their ISP), it seems not a huge leap to trust them with DNS integrity as well (say, the provider doing DNSSEC validation).
The problem of PKI including DNSSEC is that trusted third parties of CAs are actually untrustworthy. > Especially as today "regular users" > don't get that much benefit from validation, mostly relying on > https/tls. Though validation by https is no better/worse than DNSSEC or any other PKI, https may offer some amount of privacy. Masataka Ohta _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop