Open letmaik opened 2 years ago
I guess the answer is that full DNSSEC validation (validating keys using a DNSSEC trust anchor) isn't usually done client-side but rather the nameserver's DNSSEC validation is trusted (resulting in an AD flag in the response), in which case DOH is important, as the nameserver response itself would otherwise be unprotected. Is this correct?
Thanks for your comment! I don't think the draft specification says that it's "recommended", but yes it's mentioned. This section was copied from the did:web specification (see https://danubetech.github.io/did-method-dns/#dns-security-considerations), which has some similar concerns as did:dns.
This is certainly one open issue that can be discussed and probably clarified further.
Is this because DNSSEC isn't universally available yet?