This DNS over HTTP thing

[drc at virtualized.org (David Conrad)]

On Oct 7, 2019, at 10:45 AM, Jim <mysidia at gmail.com> wrote:
> My suggestion would be ultimately that DNS Clients implement DNSSEC

> validation themself to avoid tampering by a malicious client on their network
> for phishing purposes or a malicious recursive DNS Resolver server

Yep. That is (IMHO) the right (only) answer to actually fix the â??lyingâ?? problem instead of making it â??someone elseâ??s problem", although that turns lies into DoS when all you get back from your resolver is unvalidatable answers.

To solve this problem, browser vendors really should implement validation in their stub resolvers. This would have the benefit that if validation fails, a useful error message could be presented to the user (e.g., â??the website name you looked up has been tampered with!â??).  Instead, they have chosen to rely on their â??trusted recursive resolversâ?? to not lie to them and use agreements rather than code.

This, of course, doesnâ??t stop the snooping/metadata collection problem.

Regards,
-drc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191007/cd6f025e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191007/cd6f025e/attachment.sig>