undefined | Better HN

0 pointstssva2y ago0 comments

> The motivating use case for "cryptographically signing DNS records so they can be validated as being created by the owner of the domain" was the protection of those records in flight, which is something DoH does.

According to the original DNSSEC RFC, RFC2065, the purpose of DNSSEC is to provide data origin integrity and authentication. It also states "In addition, no effort has been made to provide for any confidentiality for queries or responses. (This service may be available via IPSEC [RFC 1825].)" IPSEC didn't end up providing that role but DoH does. It doesn't address the issue of data origin integrity though.

0 comments

corford2y ago

Nice quote. I don't understand why so many people on HN have such a vocal dislike of DNSSEC and DoT. It's perfectly ok for DNSSEC, DoT and DoH to co-exist.

j / k navigate · click thread line to collapse

0 pointstssva2y ago0 comments

0 comments

corford2y ago

Nice quote. I don't understand why so many people on HN have such a vocal dislike of DNSSEC and DoT. It's perfectly ok for DNSSEC, DoT and DoH to co-exist.

j / k navigate · click thread line to collapse