Jay,

On Oct 1, 2019, at 12:18 PM, Jay R. Ashworth <jra@baylink.com> wrote:
This is thought to be about security?

Didn't we already *fix* DNS SECurity?

No.  DNSSEC solves a different problem (being able to verify what you get is what the domain owner published). 

DoH (and DoT) encrypt (and authenticate) the application <-> recursive resolver channel (NOT the DNS data) which I gather some view as an attack vector. Mozilla has decided to _also_ redefine the default resolver (unless use-application-dns.net NXDOMAINs), instead of the resolver (typically) assigned by the ISP, for browser queries.  That last bit is generating a bit of ‘discussion’ as it can bypass efforts by network operators to modify DNS responses for whatever reason (e.g., protect customers from phishing sites, censoring domain names due in response to court orders, monetizing typos, etc.).

Regards,
-drc