Notices by Jerry Lundström :catjam: (jelu@mastodon.social)

@bagder @icing haven't looked at c-ares, but for the DNS if you go down the route with using libraries like getdnsapi (not sure how updated it is) or ldns, you could introduce proper client side DNSSEC validation for the HTTPS records also 🙂

@bagder @icing Woot! Nice! Let me know if you need help with the DNS part, kinda into that stuff 🙃

@bagder @icing DNSSEC != TLS

That's like comparing apples with oranges

TLS does not protect against cache poisoning or any other type of DNS data manipulation

@bagder @icing how can you be sure of that without validating the DNS data you get using DNSSEC.

Again, DNS-over-HTTPS only secures the communication, not the data!

You could be speaking to malicious/spoofed end-point or poisoned caches.

Only way to validate the DNS data you get is by using DNSSEC.

Happy to explain more the differences, you coming to Netnod spring meeting?

@bagder @icing and I'm sorry because it doesn't sound like you understand DNSSEC then. Maybe I'm missing a part but if you only relying on DoH to give you validated DNS data then you're doing it wrong. It should be DoH(/DoT/DoQ)+DNSSEC.

@bagder @icing that was unneeded.

We seem to have talked about different things.

I was only pointing the importance of validating DNS data, nothing to do with the HTTP TLS connection.