i think both DNSSEC and DoH(or DoT) can protect DNS data, the fundmental point it to establish the trust chain and transit trust. Regarding the case"secondary name servers mnaged by a different organisation", the servers can publish several TLSAs to distingush them.
This idea is just a sketch model and provides another option for DNS security and privacy. Transiting trust is hard but may be accomplished in the future. The deployment of DNSSEC also takes a long time and is still in progress. zuop...@cnnic.cn From: Stephane Bortzmeyer Date: 2019-02-13 21:44 To: zuop...@cnnic.cn CC: dnsop; Paul Wouters Subject: Re: [DNSOP] extension of DoH to authoritative servers On Wed, Feb 13, 2019 at 02:03:26PM +0800, zuop...@cnnic.cn <zuop...@cnnic.cn> wrote a message of 103 lines which said: > that's ture. but in my view, if the trust chain is built, we can > ensure a resolver(or a cache) is always talking to a identified > server and the channel is always secure, then the content could not > be tampered. Several emails already mentioned cases where it is not true (relaying through a forwarder - transitive trust is hard - or secondary name servers mnaged by a different organisation - a common use case). _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
