On 12/02/2019 09:34, Stephane Bortzmeyer wrote: > On Tue, Feb 12, 2019 at 03:56:04PM +0800, > zuop...@cnnic.cn <zuop...@cnnic.cn> wrote > a message of 546 lines which said: > >> DNSSEC is not necessary anymore > > This is clearly false. DoH provides _channel security_ DNSSEC provides > _content security_ (or object security). This is a very important > difference in security (we have JWS even if we have HTTPS, for > instance).
Indeed, you might want to look at one of the presentations by Willem Toorop and myself. In respect of channel security, DoH and DoT with authenticated TLS are similar. - RIPE 76 DNS WG https://ripe76.ripe.net/presentations/56-sunrise-DoT-sunset-DNSSEC.pdf https://ripe76.ripe.net/archives/video/67 - ICANN DNS Symposium 2018 https://www.icann.org/en/system/files/files/presentation-sunrise-dns-tls-sunset-dnssec-13jul18-en.pdf - APNIC/RIPE blog post: Sunrise DNS over TLS, sunset DNSSEC? https://blog.apnic.net/2018/08/17/sunrise-dns-over-tls-sunset-dnssec/ https://labs.ripe.net/Members/willem_toorop/sunrise-dns-over-tls-sunset-dnssec -- Benno -- Benno J. Overeinder NLnet Labs https://www.nlnetlabs.nl/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop