Jay, On Oct 1, 2019, at 12:18 PM, Jay R. Ashworth <j...@baylink.com> wrote: > This is thought to be about security? > > Didn't we already *fix* DNS SECurity?
No. DNSSEC solves a different problem (being able to verify what you get is what the domain owner published). DoH (and DoT) encrypt (and authenticate) the application <-> recursive resolver channel (NOT the DNS data) which I gather some view as an attack vector. Mozilla has decided to _also_ redefine the default resolver (unless use-application-dns.net <http://use-application-dns.net/> NXDOMAINs), instead of the resolver (typically) assigned by the ISP, for browser queries. That last bit is generating a bit of ‘discussion’ as it can bypass efforts by network operators to modify DNS responses for whatever reason (e.g., protect customers from phishing sites, censoring domain names due in response to court orders, monetizing typos, etc.). Regards, -drc
signature.asc
Description: Message signed with OpenPGP
