[shincert]

> Basically, unless everything is 100% DNSSEC, there's an opportunity for tampering. Fortunately, though, OCSP responses are signed, as we mentioned earlier. If the OCSP response comes with a valid signature, it can be trusted -- whether DNSSEC is in use or not. A response with an invalid signature (for whatever reason) obviously cannot be trusted. Let me ask you that first question again with this in mind: will running your own DNS server increase the security any? Will it increase the amount of trust you have in the validity of the certificates presented to you by clients?

That was very enlightening, thank you for your help.

I can see it won't improve my trust on the OCSP responses or CRLs, but would it not be desirable to encrypt as much traffic (i.e. DNS queries) as I can in an effort to prohibit a potential attacker from employing traffic analysis techniques with the goal to learn something? This hypothetical scenario doesn't seem so farfetched to me.

Eventually, my encrypted DNS query will be forwarded to a DNS resolver that doesn't employ encryption and it will be in the clear, but how would the attacker know where to look next? If the original DNS query is encrypted, an attacker sniffing the network will not be able to know which DNS resolver the query was forwarded to, right? If so then he can't follow up on that and I've successfully disabled it from learning what the DNS query was about.

In short, I am not trying to increase my trust in the exchanges, but rather hide them as much as possible for the sake of obscurity. Is this reasonable?