On 10/1/19 12:18 PM, Jay R. Ashworth wrote:
----- Original Message -----
From: "Stephane Bortzmeyer" <bortzmeyer@nic.fr> On Mon, Sep 30, 2019 at 11:56:33PM -0400, Brandon Martin <lists.nanog@monmotha.net> wrote a message of 10 lines which said:
It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least) will go back to using your local DNS server list as per usual. Unless, I hope, the user explicitely overrides this. (Because this canary domain contradicts DoH's goals, by allowing the very party you don't trust to remotely disable security.) Security?
This is thought to be about security?
Didn't we already *fix* DNS SECurity?
DNSSEC only deals with authentication, not confidentiality...
No, I tend to buy the "Alphabet looking over your shoulder" argument a lot more than 'security', here, so far.
...of course the main people you'd like to keep this confidential from are the ones on the other end of the DNS pipe, be it ISP's or Google, et al. So i'm not exactly sure what problem this solves, beyond giving Google and the rest a shot at seeing all of that yummy data. Mike