[davidu]

That's actually not true, not even a little bit. We've covered this before. When the resolver issues a query, we can disable the DS bit and disable DNSSEC for our customers. Alternatively, we can extend our DNSCrypt client to do validation and rejection of malicious responses.

DNSSEC doesn't add security, nor does it prevent our business from operating to the fullest extent.

[mike-cardwell]

You're playing the long game. If OS's end up locally verifying DNS responses then you're out of business.

On the other hand, DNSCrypt is utterly useless and worthless. Wow, my ISP can't see that I'm looking up "www.example.com", oh... but my ISP can see that I am connecting to x.x.x.x on port 443 and sending "www.example.com" in the SSL handshake because of SNI. So now, both my ISP and OpenDNS (double the third parties) can see that I'm connecting to www.example.com, even if I'm using HTTPS. How exactly is this supposed to help my privacy?

DNSSEC and DNSCrypt both attempt do completely different things. DNSSEC is much better at doing what it is trying to do (even though it's far from perfect) than DNSCrypt.

[davidu]

I am one of the biggest proponents of end-users running a full-blown resolver. I've been on the record on this point. Like the OP, it sounds like you really don't know what business we're in. Monetizing DNS with ads isn't our business, and it hasn't been for more than four years.

[mike-cardwell]

Sounds like you really don't know how to read. I didn't mention ads once.

[davidu]

Okay -- Maybe I jumped to your conclusion erroneously. How is my business impacted?