We could add a recommendation like "Clients using ECH SHOULD select a DNS resolver that they trust to preserve the confidentiality of their queries and return authentic answers, and communicate using an authenticated and confidential transport", but this draft seems like an odd place for that text.
When DNS SVCB has an ech entry, DNS is being used a little differently than your conventional DNS for ipaddress, since you can use TLS to authenticate what DNS told. For ECH you cannot. In other words, I think recommendation, or warning in security considerations, is exactly right for this document.
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
