>I would think that the best approach might be:
>- insecure delegation to 127.x.x.x, so that queries do not leak past the
>host of the local resolver. This is the best we can do for the CPE
>equipment and other resolvers that will not be updated until they are
>- add .local to resolvers that do update, so they don't bother trying to
>- local root is still an option, and reduces queries to the root even more.
If we're going to ask people to change their software, how about
asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in
their caches? Those deal with .local and .onion leaks at the same time
they do other useful stuff.
I still see this proposal as a distraction from other more general proposals.
DNSOP mailing list