In message <20161018175340.26608.qm...@ary.lan>, "John Levine" writes:
> >I would think that the best approach might be:
> >- insecure delegation to 127.x.x.x, so that queries do not leak past the
> >host of the local resolver.  This is the best we can do for the CPE
> >equipment and other resolvers that will not be updated until they are
> >replaced.
> >- add .local to resolvers that do update, so they don't bother trying to
> >query 127.x.x.x
> >- local root is still an option, and reduces queries to the root even more.
> If we're going to ask people to change their software, how about
> asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in
> their caches?  Those deal with .local and .onion leaks at the same time
> they do other useful stuff.

No.  They slow the leaks.  They do not STOP the leaks.  They depend on
leaks to work.
> I still see this proposal as a distraction from other more general proposals.
> R's,
> John
> _______________________________________________
> DNSOP mailing list
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET:

DNSOP mailing list

Reply via email to