In article <cahbrmsaodx8q67_zwpdh6uh1rdy9qbkleloh0yws4w1b0_z...@mail.gmail.com> you write: >I support adoption, but I think we should consider a substantial >simplification of the design, focusing on a consensus core of basic >functionality.
Agreed. While I understand the motivation for this draft, the more I look at it the less I understand the security model. Like Joe I don't understand the implications of the assumption that http and DNS servers on the IP address are under the same management, or will return consistent information. I also don't understand how this relates to DNSSEC, since the RESINFO results are likely to be synthesized in the cache and are unlikely to be signed. To some extent DoH and DoT can mitigate MITM attacks since their SSL certs may be able to tell you who you're talking to, but I don't understand the downgrade and other attacks against whatever security the certs provide. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
