[devrand]

Sort of. Let’s Encrypt checks multiple DNS operators, so you’d need to compromise multiple from LE’s perspective.

Whereas putting the public key in DNS only requires compromising a user’s nearest DNS server. For example, in my home network I would be able to MITM any site that anyone using my DNS server, which DHCP will gladly hand out, attempts to connect to.

Edit: actually, I would be to MITM any unencrypted DNS lookup. So even if they didn’t use my DNS server, I could still alter the responses.

[tzs]

I didn't state it, but I was assuming that browsers would only use keys from DNS servers if they had used DNS over HTTPS to make sure they are talking to a DNS server that the user trusts.

[devrand]

And what if the request isn’t made via DoH (very few today are)? Do we just fallback to the existing Web PKI? If so we’d now have two systems to support until everything is migrated to DoH, which can very well be never.

Also, how do we know which certificate to use for DoH?

[lolinder]

Ah, that makes sense! I thought you were talking about the root nameservers, I wasn't considering all the other DNS servers.