On Oct 7, 2019, at 10:45 AM, Jim <mysidia@gmail.com> wrote:
My suggestion would be ultimately that DNS Clients implement DNSSEC
validation themself to avoid tampering by a malicious client on their network for phishing purposes or a malicious recursive DNS Resolver server
Yep. That is (IMHO) the right (only) answer to actually fix the ‘lying’ problem instead of making it “someone else’s problem", although that turns lies into DoS when all you get back from your resolver is unvalidatable answers. To solve this problem, browser vendors really should implement validation in their stub resolvers. This would have the benefit that if validation fails, a useful error message could be presented to the user (e.g., “the website name you looked up has been tampered with!”). Instead, they have chosen to rely on their “trusted recursive resolvers” to not lie to them and use agreements rather than code. This, of course, doesn’t stop the snooping/metadata collection problem. Regards, -drc