> On Aug 21, 2018, at 7:33 AM, Tony Finch <d...@dotat.at> wrote: > > Tom Pusateri <pusat...@bangj.com> wrote: > >> Come to think of it, DNSSEC validation in the stub resolver or browser >> is really a place DoH could shine. Instead of all the round trips >> required for validating up (down) the chain, > > With DNS to a recursive server (UDP, TCP, or TLS) as currently deployed, > you only need 1 round trip in simple cases or 2 round trips if there's a > CNAME or SRV (etc.) because you know ahead of time all the queries you > need to make to get the validation chain and they can trivially be > pipelined. > > Tony.
Yes, and with CHAIN Query Requests in DNS it’s even better. But this still can’t beat the fore knowledge the web/DoH server has about the page you’re viewing. The web/DoH server can HTTP/2 Push all of validation records for links you MAY click on in the future while you’re reading the page, taking into account the scroll position of your page. The validation can then be done in the browser before you click on the link and once you do, the browser knows the address and has validated it. Tom _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
