On Fri, Oct 14, 2016 at 3:51 PM, Mark Andrews <ma...@isc.org> wrote:
> In message <alpine.lrh.2.20.1610141146120.21...@bofh.nohats.ca>, Paul
> Wouters w
> > On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote:
> > > "Using DNAME in the DNS root zone for sinking of special-use
> TLDs" ?
> > >
> > > On Fri, Oct 14, 2016 at 10:04:21AM -0400,
> > > Paul Wouters <p...@nohats.ca> wrote
> > > a message of 19 lines which said:
> > >
> > >> But by adding delegations in the root to AS112, aren't we making it
> > >> more likely that the queries leak further onto the net?
> > >
> > > That's precisely the point described in section 6, second paragraph.
> > The difference is between "doing the draft and reducing the problem
> > caused" versus "this problem is big enough to not do the draft".
> > I do not know yet where I stand on this. I do feel that since we are
> > talking about "bad old DNS software" that wouldn't already be suppressing
> > special use names, it is most likely that this old software also does
> > not support DNAMEs.
> > Paul
> A alternative is to insecurely delegate .local to the root servers
> themselves and to request that recursive servers maintain their own
> empty .local. The roots will then get just DS queries for .local
> when there is a validating recursive client behind the recursive
> server that is leaking <foo>.local queries into the DNS.
> The same solution also works for .onion.
> Having a local copy of the root zone still works with this.
> This stops leaks of <foo>.local to the root servers which qname
> minimisation doesn't. The extent of the leak is that you know
> .local is in use when you have a validating recursive client.
I would think that the best approach might be:
- insecure delegation to 127.x.x.x, so that queries do not leak past the
host of the local resolver. This is the best we can do for the CPE
equipment and other resolvers that will not be updated until they are
- add .local to resolvers that do update, so they don't bother trying to
- local root is still an option, and reduces queries to the root even more.
This does not cause any additional load on the AS112 servers.
DNSOP mailing list