On Oct 7, 2019, at 10:45 AM, Jim <mysi...@gmail.com> wrote:
> My suggestion would be ultimately that DNS Clients implement DNSSEC

> validation themself to avoid tampering by a malicious client on their network
> for phishing purposes or a malicious recursive DNS Resolver server

Yep. That is (IMHO) the right (only) answer to actually fix the ‘lying’ problem 
instead of making it “someone else’s problem", although that turns lies into 
DoS when all you get back from your resolver is unvalidatable answers.

To solve this problem, browser vendors really should implement validation in 
their stub resolvers. This would have the benefit that if validation fails, a 
useful error message could be presented to the user (e.g., “the website name 
you looked up has been tampered with!”).  Instead, they have chosen to rely on 
their “trusted recursive resolvers” to not lie to them and use agreements 
rather than code.

This, of course, doesn’t stop the snooping/metadata collection problem.

Regards,
-drc

Attachment: signature.asc
Description: Message signed with OpenPGP

Reply via email to