On Wed, 3 Oct 2012, Paul Hoffman wrote:
I fully agree with all of this, but it leaves the question: what about tunneling DNS in TLS-over-HTTP? The earlier statement about why this would not work (corporations getting MITM certificates from bad actors in the root pile) doesn't actually apply because the client will have a single TLS trust anchor, possibly even one not even in the root pile.
Why would the client even need a single trust anchor for this? Current unbound dns-over-tls completely ignores the TLS. It is only used to get out, not for any type of authentication of transport or data. Paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
