On Wed, 21 Dec 2016, John Levine wrote:
Those malevolent actors are just as capable of using DNSSEC.
A lot of the arguments I'm seeing here boil down to "my users are
better off with a signed A record pointing to a site that installs
Cryptolocker than with an unsigned NXDOMAIN or SERVFAIL."
This comparison is false. Asking people to trust unsigned DNS, or
filtering out DNS without a signature of proof why it is filtered
is a downgrade attack on everything DNSSEC is supposed to protect
us from.
It's like saying browser users must click on "accept bogus cert
to continue".
There may be a world in which that is true but I'm pretty sure this
isn't it.
You are wrong.
For example, imagine the irony of the next DNSCHANGER to actually change
people's DNS configuration from ISP-issued resolver to enabling the
local full resolver to bypass rpz or government DNS filters.
Paul
ps guess the good news is governments to mandating port 53 blocking
nationwide will run into 4 different ways of people doing DNS over
HTTP/TLS.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
