In message <[email protected]>, "John Levine" writes: > >I would think that the best approach might be: > >- insecure delegation to 127.x.x.x, so that queries do not leak past the > >host of the local resolver. This is the best we can do for the CPE > >equipment and other resolvers that will not be updated until they are > >replaced. > >- add .local to resolvers that do update, so they don't bother trying to > >query 127.x.x.x > >- local root is still an option, and reduces queries to the root even more. > > If we're going to ask people to change their software, how about > asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in > their caches? Those deal with .local and .onion leaks at the same time > they do other useful stuff.
No. They slow the leaks. They do not STOP the leaks. They depend on leaks to work. > I still see this proposal as a distraction from other more general proposals. > > R's, > John > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
