In section 7.1 the -02 draft says: Clearly, DNSSEC (if the client validates and hard fails) is a defense against this form of attack, but DoH/DPRIVE are also defenses against DNS attacks by attackers on the local network, which is a common case where SNI.
Where SNI what? I'd be tempted to just say that yes, an active adversary can force you to choose between privacy and connectivity, and hard fail DNSSEC is the only existing way to choose privacy. The current text feels more like an attempt by people who don't want to face the Dancing Pig problem to justify why their latest seat-belt that snaps in a crash (to borrow Adam Langley's phrase) is a good idea anyway. But regardless of whether I'm correct about that, the sentence is confusing as it stands now. Nick. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
