In message <20161018175340.26608.qm...@ary.lan>, "John Levine" writes:
> >I would think that the best approach might be:
> >- insecure delegation to 127.x.x.x, so that queries do not leak past the
> >host of the local resolver. This is the best we can do for the CPE
> >equipment and other resolvers that will not be updated until they are
> >- add .local to resolvers that do update, so they don't bother trying to
> >query 127.x.x.x
> >- local root is still an option, and reduces queries to the root even more.
> If we're going to ask people to change their software, how about
> asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in
> their caches? Those deal with .local and .onion leaks at the same time
> they do other useful stuff.
No. They slow the leaks. They do not STOP the leaks. They depend on
leaks to work.
> I still see this proposal as a distraction from other more general proposals.
> DNSOP mailing list
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
DNSOP mailing list