Deirdre Connolly wrote on 2024-09-30 10:59:
> We could add a recommendation like "Clients using ECH SHOULD select a
DNS resolver that they trust to preserve the confidentiality of their
queries and return authentic answers, and communicate using an
authenticated and confidential transport", but this draft seems like an
odd place for that text.
I support this more than the DNSSEC recommendation
i would not. much of the world now relies upon inauthentic dns responses
for defense against bad actors. here's how US NCCIS puts it:
https://www.cisa.gov/news-events/alerts/2021/03/04/joint-nsa-and-cisa-guidance-strengthening-cyber-defense-through
it is precisely to prevent protective dns from being bypasses that many
of us block all off-net DNS including off-net HTTPS to known DoH
services. malicious insiders, intruders, malware, and poisoned supply
chains do not want their DNS lookups to be monitored or blocked.
we can argue about where the advice should and shouldn't appear, but we
mustn't appeal to "response authenticity" when recommending a recursive
DNS service. response authenticity is what our attackers need.
--
P Vixie
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
