undefined | Better HN

0 pointstheamk5y ago0 comments

Huh? They say this:

> The whole process begins with clients that encrypt their query for the target using HPKE. Clients obtain the target’s public key via DNS, where it is bundled into a HTTPS resource record and protected by DNSSEC. When the TTL for this key expires, clients request a new copy of the key as needed (just as they would for an A/AAAA record when that record’s TTL expires). The usage of a target’s DNSSEC-validated public key guarantees that only the intended target can decrypt the query and encrypt a response (answer).

So this looks like relies on DNSSEC as a core part of its security, and that any resolvers willing to participate in this protocol would have to set up one.

0 comments

tptacek5y ago

Oh, gross! I missed that; I read the TechCrunch article and thought I understand what they were going for. Thanks for the correction. That's disgusting.

alwillis5y ago

Thank you for the part regarding DNSSEC--I was just about to post the same thing.

j / k navigate · click thread line to collapse