Original subject: New draft on delegation revalidation On 4/24/20 4:49 PM, Shumon Huque wrote: > > Even DNSSEC-validated NSs and IPs aren't sufficient to ensure privacy, > so I'd rather kill this problem by proper encrypted protocol towards > authoritatives (in current dprive charter). > > > DNSSEC of course does not address privacy, that much is clear. > But I don't think I agree that encrypted transport addresses the > data authentication issue here. [...]
Of course, I didn't mean to imply it would allow us completely dropping DNSSEC. By the way, using DNSSEC to anchor the chain to "DNS privacy" makes most sense to me (even webPKI don't help you with getting the "right" hostname/SNI). Still, note that for some consumers the secure transport may be an argument to drop validating DNSSEC themselves. If they choose some DNS provider that they trust with privacy (it might be their ISP), it seems not a huge leap to trust them with DNS integrity as well (say, the provider doing DNSSEC validation). Especially as today "regular users" don't get that much benefit from validation, mostly relying on https/tls. Some of them also want a variant of DNS filtering, which still clashes with validation a bit (if done *after* filtering).
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
