Walter H. via bind-users <bind-users@lists.isc.org> wrote: > > DOH/DOT is dead; > > use DNSSEC instead and no troubles;
No. DNSSEC is about data integrity. It allows me to host my zones with a collection of semi-trusted third parties without having to worry about them changing my DNS records. It allows clients to be sure they got the correct data when querying my zones. But DNSSEC does not provide any confidentiality, and it doesn't protect the protocol parts of DNS packets such as the RCODE and the EDNS options. DoH and DoT are the opposite. They provide better confidentiality (network middleboxes can't see your queries) and better transport integrity (active attackers can't mess with things like EDNS options), but they don't authenticate the contents of DNS records. It is wrong to say that one is better than the other: they are orthogonal. It's good to deploy either of them, and better to deploy both. Tony. -- f.anthony.n.finch <d...@dotat.at> https://dotat.at/ Viking, North Utsire: Southwesterly, veering westerly later, 4 to 6. Moderate, occasionally rough later. Rain, showers later. Good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
