HTTPS RR in Curl
12 comments
·March 31, 2025max-privatevoid
vbezhenar
There are two competing approaches to secure DNS.
1. DNS Security Extensions (DNSSEC).
2. DNS over HTTPS (DoH)
Both are kind of works but it seems that second approach is more practical, because it does not require reconfiguration of the billions of servers and just requires modification of client software which is usually easier to implement for software vendors.
ivanr
Those two don't really compete. DNSSEC provides authenticity/integrity without privacy and DoH does exactly the opposite. If anything, you need both in order to secure DNS.
tptacek
They don't compete in any immediate way, but over the long term, end-to-end DNS secure transport would cut sharply into the rationale for deploying DNSSEC. We're not there yet (though: I don't think DNSSEC is a justifiable deployment lift regardless).
It's worth keeping in mind that the largest cause of DNS authoritative data corruption isn't the DNS protocol at all, but rather registrar phishing.
Honestly, and I think this has been true for a long time, but in 2025 the primary (perhaps sole) use case for DNSSEC is as a trust anchor for X.509 certificate issuance. If that's all you need, you can get that without a forklift upgrade of the DNS. I don't think global DNSSEC is going to happen.
immibis
At least in curl it's an option, not a requirement or even a default.
samueloph
You can test it on Debian experimental, or use a Debian container:
$ podman run debian:experimental /bin/bash -c 'apt install --update -t experimental -y curl && curl --version'
Version 8.13.0~rc3-1+exp1 is syncing to the repositories and has HTTPS RR support enabled.
Fetching DNS records about HTTPS over DNS-over-HTTPS. Absolutely ossified.