[infogulch]

Sure, I agree, the next increment in privacy comes with using DoT/DoH (in fact some browsers require this to use ESNI at all). Probably throw in DNSSEC next. Having IP certs is just one more (small) step in that direction.

> you include a key to encrypt the ESNI for "www.secret.com" in a DNS record

I've never heard of this, is this a thing that exists today? (edited to remove unnecessary comment)

[gruez]

>I've never heard of this, is this a thing that exists today? Are you arguing against one small step in a series of improvements by using a nonexistent hypothetical as evidence that the small step is unnecessary?

see: https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt...

[infogulch]

Thanks.

> Another Internet Draft incorporates a parameter for transmitting the ECH public keys via HTTPS and SVCB DNS record types, shortening the handshake process.[24][25]

[25]: Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings | https://datatracker.ietf.org/doc/draft-ietf-tls-svcb-ech/

[tptacek]

DNSSEC is an integrity control, not a privacy control.

[infogulch]

gp proposes a scenario where an integrity breach is lifted to a privacy breach, insisting on a strict distinction doesn't seem useful in this context.

[dcow]

I think it’s a fair aside. One doesn’t just “throw in a little DNSSEC” in a security discussion without extreme care.