, 10 tweets, 7 min read
@Paul_IPv6 @letoams You're both repeating what I said, but that's fair if (though experiment:) you believe in some absolute truth in DNS - which is a common and understandable belief, because we tend to assume that there is only one DNS, only one system, and that it is global.
@Paul_IPv6 @letoams If you polytheisticly follow the thought experiment and admit is just "a system" rather than some omniscient and single store of truth ("the DNS is true, the DNS is one") then you are squarely back in the land of trusting your upstream priest/resolver. [typo fixed]
@Paul_IPv6 @letoams DNSSEC is nowhere, and we have no global truth to "rely" upon, and anyway if we did would probably be a bad thing to go around and blindly trust what our local DNS church simply tells us.

Lacking such, it's better to build a relationship with just one resolver, & use them.
@Paul_IPv6 @letoams So yes, DOH is "just" transport security. It's a secure phone call to the priest/resolver that you always use, rather than putting your trust in the priest you met in the local cafe and who assures you that his answer will be the same as your usual guy's
@Paul_IPv6 @letoams So yes, DOH Is "just" single hop encryption, which with TLS (esp TLS1.3) will be an ironclad phonecall to the resolver with which you have a relationship, so you can navigate the world with the help of the priest/resolver with whom you have a relationship.
@Paul_IPv6 @letoams Because DNS is not really a unitary & omniscient source of absolute truth — and because it would probably be quite oppressive if we were — what's more important than a plugging into a "global church of DNS truth" is the relationship with the resolver whom you already trust.
@Paul_IPv6 @letoams So, that's what I mean by "integrity". Clear, now?
@Paul_IPv6 @letoams And I'm an atheist, which is why I deal in Onion Addresses and stopped trusting priests/resolvers a long time ago.
So, to recap:

>Integrity is a matter of who (if?) you have a trust chain, and whether your names being resolved, partake of it.

Rephrase:

1/ #DoH reduces trust-chain risk by putting you in touch with your usual resolver

2/ #DNSSEC is… meh.

Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Alec Muffett

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!