VladimĂr Cunat wrote:
Still, note that for some consumers the secure transport may be an
argument to drop validating DNSSEC themselves.
Or, drop any PKI, because PKI is only weakly secure subject to
MitM attacks on CAs.
If they choose some DNS
provider that they trust with privacy (it might be their ISP), it seems
not a huge leap to trust them with DNS integrity as well (say, the
provider doing DNSSEC validation).
The problem of PKI including DNSSEC is that trusted third
parties of CAs are actually untrustworthy.
> Especially as today "regular users"
> don't get that much benefit from validation, mostly relying on
> https/tls.
Though validation by https is no better/worse than DNSSEC
or any other PKI, https may offer some amount of privacy.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
