If we're going to ask people to change their software, how about
asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in
their caches?  Those deal with .local and .onion leaks at the same time
they do other useful stuff.

No.  They slow the leaks.  They do not STOP the leaks.  They depend on
leaks to work.

With a 24 hour TTL on the root zone, it ain't going to leak very much.

Or if you get to hack on your cache, you can just do what unbound already did and put in dummy stub zones, no new code needed.

John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

DNSOP mailing list

Reply via email to