On Fri, 14 Dec 2018, Eric Rescorla wrote:
However, in a large number of cases (e.g., an attacker on your local network, there are non-DNSSEC ways of obtaining this property, such as using DoH.
Data origin authenticity is not the same as transport security. DoH offers no guarantee that the non-dnssec protected information you received is not modified. Unfortunately, I keep needing to say this on various IETF lists. The move towards "blindly trusting DNS over HTTPS/TLS" servers is misguided and just moving the goal post. It is very concerning now that we see browser vendors to start moving DNS from the endpoint to trusted servers elsewhere on the internet under the control of very few, mostly US based, for profit entities. Paul _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls