@Paul_IPv6 @letoams You're both repeating what I said, but that's fair if (though experiment:) you believe in some absolute truth in DNS - which is a common and understandable belief, because we tend to assume that there is only one DNS, only one system, and that it is global.
@Paul_IPv6 @letoams If you polytheisticly follow the thought experiment and admit is just "a system" rather than some omniscient and single store of truth ("the DNS is true, the DNS is one") then you are squarely back in the land of trusting your upstream priest/resolver. [typo fixed]
@Paul_IPv6 @letoams DNSSEC is nowhere, and we have no global truth to "rely" upon, and anyway if we did would probably be a bad thing to go around and blindly trust what our local DNS church simply tells us.
Lacking such, it's better to build a relationship with just one resolver, & use them.
Lacking such, it's better to build a relationship with just one resolver, & use them.
@Paul_IPv6 @letoams So yes, DOH is "just" transport security. It's a secure phone call to the priest/resolver that you always use, rather than putting your trust in the priest you met in the local cafe and who assures you that his answer will be the same as your usual guy's
@Paul_IPv6 @letoams So yes, DOH Is "just" single hop encryption, which with TLS (esp TLS1.3) will be an ironclad phonecall to the resolver with which you have a relationship, so you can navigate the world with the help of the priest/resolver with whom you have a relationship.
@Paul_IPv6 @letoams Because DNS is not really a unitary & omniscient source of absolute truth — and because it would probably be quite oppressive if we were — what's more important than a plugging into a "global church of DNS truth" is the relationship with the resolver whom you already trust.
@Paul_IPv6 @letoams So, that's what I mean by "integrity". Clear, now?
@Paul_IPv6 @letoams And I'm an atheist, which is why I deal in Onion Addresses and stopped trusting priests/resolvers a long time ago.
@Paul_IPv6 @letoams @threadreaderapp unroll please
