June 13, 2019
4:14 p.m.
On Jun 13, 2019, at 11:54, Fred Baker <fredbaker.ietf@gmail.com> wrote:
On Jun 12, 2019, at 6:07 PM, Michael Richardson <mcr@sandelman.ca> wrote: But, if you already have TLS code in the device, then maybe it's cheaper to do this instead of DNSSEC.
That's apples and orangutans. TLS secures the channel (chain of custody), DNSSEC secures the data regardless of the channel (correctness of the data).
I keep saying this too and correct people every time DoH or DoT is suggested as replacement for DNSSEC. Browser vendors and DNS firewall vendors aren’t helping by building infrastructure that breaks DNSSEC by design. It’s an attack in the network. Paul