From: gtaylor@tnetconsulting.net   
      
   On 11/28/24 02:52, Richard Kettlewell wrote:   
   > If you’re writing that then I don’t think you understood my point.   
      
   I understood your point.   
      
   I disagreed with your point.   
      
   > The problem people actually have is exchanging information with   
   > websites without anyone else being able to read or modify that data.   
      
   I feel the need to reiterate that the Internet is far more than just   
   websites or web hosted content.   
      
   > DNSSEC on its own obviously can’t solve that.   
      
   TLS on it's own can't do that either.   
      
   > DNS + TLS does solve it, sufficiently well. (Using TLS to include   
   > Internet PKI.)   
      
   For some nebulous value of sufficiently well.   
      
   The Internet PKI can be -> is an Achilles heal.   
      
   > DNSSEC + TLS would also solve it, but why would someone bother with   
   > DNSSEC when DNS+TLS is good enough for their needs?   
      
   DNS w/o DNSSEC is trusting that someone hasn't modified the data between   
   the authoritative source and you the consumer.   
      
   DNSSEC cryptographically authenticates the data, thus making it possible   
   to validate or detect modification.   
      
   Do you trust that your DNS server is giving you validated information?   
   Or would you like some proof that what it's giving you is validated?   
      
   There are all sorts of ways to modify DNS data in flight between clients   
   and authoritative servers.  As previously established, TLS (et al.) by   
   its self isn't sufficient.  TLS needs a remote endpoint to communicate   
   with.  Name resolution is required to be able to resolve the name you   
   want to communicate with to an IP address to connect to.  DNS is the   
   biggest and most common way that name resolution happens.  Local hosts   
   files are also contenders, but they are way behind DNS.   
      
   I like to have my local DNS recursive resolver cryptographically   
   validate information whenever possible.   
      
   I use DNSSEC protected DNS to host things like TLS certificate public   
   keys with DANE and SSH fingerprints and other similar information that   
   allows me to function without the PKI.   
      
   It comes down to people care if the information they get from DNS is   
   cryptographically verifiable or not.  I personally care.  Many people   
   don't know and most of them wouldn't care.   
      
      
      
   --   
   Grant. . . .   
      
   --- SoupGate-DOS v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)