In message <alpine.osx.2.11.1610181740070.35...@ary.qy>, "John R Levine" writes: > >> If we're going to ask people to change their software, how about > >> asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in > >> their caches? Those deal with .local and .onion leaks at the same time > >> they do other useful stuff. > > > > No. They slow the leaks. They do not STOP the leaks. They depend on > > leaks to work. > > With a 24 hour TTL on the root zone, it ain't going to leak very much.
The practical TTL is 3 hours. > Or if you get to hack on your cache, you can just do what unbound already > did and put in dummy stub zones, no new code needed. But dummy stub zones (which is what is being I'm requesting) require changes in the root zone to add a insecure delegation to not break other things. That requires IANA to be instructed to do so. You may not care that validating stub resolvers that ask for example.local get back answers that can be validated as NXDOMAIN without leaking queries to the root but I do. Just adding the zone locally without having the insecure delegation results in just that condition. For all the zones in RFC 6303 that is what we instructed IANA to do. I had to open a few trouble ticket with IANA to get them all installed but there was the documentation there to back up the trouble tickets. We then had to do this for 100.64/10 with RFC 7793 which was required co-ordinatation between IANA and ARIN. Mark > Regards, > John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop