zlacker

[parent] [thread] 1 comments
1. zie+(OP)[view] [source] 2022-01-27 23:35:44
DNSSEC is security in the other direction( DNS server -> client ). All DNSSEC does is securely sign all the responses to DNS queries.

so DNSSEC is the answer to, can I trust this IP is valid for the name news.ycombinator.com.

DNS over TLS/HTTPS just says, nobody but the DNS server I use can see I'm wanting news.ycombinator.com's IP. It's mostly useless at the moment, since other gaps exist leaking essentially the same information(SNI, etc), but it should get more useful over time, as people are working on fixing those gaps.

replies(1): >>zaarn+v71
2. zaarn+v71[view] [source] 2022-01-28 10:35:58
>>zie+(OP)
QUIC and ECH cover the leakage of host information already, so DNS over TLS/HTTPS is plenty useful already IMO. Just needs the hosts to upgrade to support ECH or QUIC. Plus it's never bad to cover your bases, DNS queries are for more than just the browser (ie, for example the SRV record which an application may use for connection data or TXT records for configuration or ACME).
[go to top]