[vavrusa]

It's worth mentioning that encrypted DNS is not just about privacy, but also integrity. It's more difficult to intercept or spoof in hostile networks.

ISP can still see the target IP address and SNI. The IP address is sometimes meaningful (single website), but not if it's a CDN or a multi-tenant server. The SNI is being worked on (encrypted SNI, ORIGIN frame, CERTIFICATE frame). The point is none of that matters without encrypted DNS.

[kuschku]

> It's worth mentioning that encrypted DNS is not just about privacy, but also integrity. It's more difficult to intercept or spoof in hostile networks.

That’s why we all have DNSSEC enabled on our domains, right? Right?

[vavrusa]

DNSSEC is orthogonal to this. Its goal is to prove integrity of records between authoritatives and the closest validator. The validator is most often the resolver doing the recursion, not the client. The client can either revalidate all the answers and/or establish a secure channel between the itself and the resolver (with the added privacy bonus). The reason why many clients don't revalidate is because it's time consuming (basically same complexity as recursor), and fragile (recursive operators can work around DNSSEC screwups by adding negative trust anchors), so it's a tradeoff between convenience and risk.

There's an ongoing work to make revalidation easier - the client would basically ask the recursive to not only provide answer, but also a whole trust chain from a known trust anchor (so it would revalidate the answer without additional queries) https://tools.ietf.org/html/rfc7901