why would we still require DNSSEC records considering the fact that we already know for sure in order to insert said data we require a signed transaction from a wallet?
DNSSEC has two purposes: to prove that the data returned is authentic, and to prove that the data returned is accurate. These are usually mixed up in DNSSEC due to the fact that an authoritative server has both jobs, but this is no longer the case with DNS over ENS.
To give an example: someone queries for foo.bar.com. A traditional DNS server could lie in two different ways:
- Not return any data even though a record is present (or vice versa)
- Return incorrect/misleading data
these are the situations that are avoided by using DNSSEC. Although it is possible for any user to confirm the results of a DNS query from the on-chain data to do so they need to be their own ENS resolver, not to mention the fact that they need to be aware that the data comes from the chain. So DNSSEC continues to have a place even if the DNS data itself is stored (or reference) on-chain.
I do see the value of using DNSSEC for protecting the queried data while it’s travelling over insecure channels
On-the-wire security isn’t relevant for DNSSEC; the information is public anyway. The only benefit of encrypting in flight is to hide the query.
Yet storing the data in IPFS would be problematic due to the lack of encryption on the nodes.
If the data was encrypted then the DNS servers would need to be able to decrypt it; given that we would want anyone to be able to read the data this would be counter-productive. This does, however, mean that an intelligent user could obtain the data for an entire zone if they know what they are doing. This comes down to “the blockchain is public” and I think that we will need to accept this as a consequence of people putting their data on the chain.
(Note that a record-based system would avoid the issue of exposing data as mappings in Solidity aren’t reversible, but although this is fine for traditional DNS it doesn’t work for DNSSEC due to the NSEC/NSEC3 records).