In message <alpine.osx.2.11.1610181740070.35...@ary.qy>, "John R Levine" writes:
> >> If we're going to ask people to change their software, how about
> >> asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in
> >> their caches?  Those deal with .local and .onion leaks at the same time
> >> they do other useful stuff.
> >
> > No.  They slow the leaks.  They do not STOP the leaks.  They depend on
> > leaks to work.
> With a 24 hour TTL on the root zone, it ain't going to leak very much.

The practical TTL is 3 hours.
> Or if you get to hack on your cache, you can just do what unbound already 
> did and put in dummy stub zones, no new code needed.

But dummy stub zones (which is what is being I'm requesting) require
changes in the root zone to add a insecure delegation to not break
other things.  That requires IANA to be instructed to do so.

You may not care that validating stub resolvers that ask for
example.local get back answers that can be validated as NXDOMAIN
without leaking queries to the root but I do.  Just adding the zone
locally without having the insecure delegation results in just that

For all the zones in RFC 6303 that is what we instructed IANA to
do.  I had to open a few trouble ticket with IANA to get them all
installed but there was the documentation there to back up the
trouble tickets.  We then had to do this for 100.64/10 with RFC
7793 which was required co-ordinatation between IANA and ARIN.


> Regards,
> John Levine,, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET:

DNSOP mailing list

Reply via email to