In message <20161018175340.26608.qm...@ary.lan>, "John Levine" writes: > >I would think that the best approach might be: > >- insecure delegation to 127.x.x.x, so that queries do not leak past the > >host of the local resolver. This is the best we can do for the CPE > >equipment and other resolvers that will not be updated until they are > >replaced. > >- add .local to resolvers that do update, so they don't bother trying to > >query 127.x.x.x > >- local root is still an option, and reduces queries to the root even more. > > If we're going to ask people to change their software, how about > asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in > their caches? Those deal with .local and .onion leaks at the same time > they do other useful stuff.
No. They slow the leaks. They do not STOP the leaks. They depend on leaks to work. > I still see this proposal as a distraction from other more general proposals. > > R's, > John > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop