On 14 Feb 2019, at 06:36, zuop...@cnnic.cn wrote: > > i think both DNSSEC and DoH(or DoT) can protect DNS data
It depends on your definition of “protect”. For some threats/attacks, DoH or DoT by themselves can’t protect DNS data - for instance a DoH or DoT server that intentionally or accidentally returns false data. DNSSEC can counter that. Provided the client can perform validation and the DoH or DoT server returns DNSSEC material in its responses. It might not always be wise to make these assumptions, especially client-side validation. > Transiting trust is hard but may be accomplished in the future. That simply won’t be possible until every DNS client does DNSSEC validation. Good luck with that. > The deployment of DNSSEC also takes a long time and is still in progress. Indeed. That’s yet another reason why transiting trust is hard. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
