In message <alpine.lrh.2.20.1610141146120.21...@bofh.nohats.ca>, Paul Wouters w
> On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote:
> > "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
> > On Fri, Oct 14, 2016 at 10:04:21AM -0400,
> > Paul Wouters <p...@nohats.ca> wrote
> > a message of 19 lines which said:
> >> But by adding delegations in the root to AS112, aren't we making it
> >> more likely that the queries leak further onto the net?
> > That's precisely the point described in section 6, second paragraph.
> The difference is between "doing the draft and reducing the problem
> caused" versus "this problem is big enough to not do the draft".
> I do not know yet where I stand on this. I do feel that since we are
> talking about "bad old DNS software" that wouldn't already be suppressing
> special use names, it is most likely that this old software also does
> not support DNAMEs.
A alternative is to insecurely delegate .local to the root servers
themselves and to request that recursive servers maintain their own
empty .local. The roots will then get just DS queries for .local
when there is a validating recursive client behind the recursive
server that is leaking <foo>.local queries into the DNS.
The same solution also works for .onion.
Having a local copy of the root zone still works with this.
This stops leaks of <foo>.local to the root servers which qname
minimisation doesn't. The extent of the leak is that you know
.local is in use when you have a validating recursive client.
> DNSOP mailing list
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
DNSOP mailing list