>You may not care that validating stub resolvers that ask for >example.local get back answers that can be validated as NXDOMAIN >without leaking queries to the root but I do. Just adding the zone >locally without having the insecure delegation results in just that >condition.
It just occurred to me that we seem to disagree about what problem we're solving here. If we see a DNS query for .local or .onion, an application is trying to use mDNS or Tor on a machine that doesn't implement them. On machines that do implement mDNS and Tor, neither does DNSSEC signatures, so there is no reason to provide answers that the application is not looking for. So a cache stub that provides unsigned answers to .local and .onion queries is just fine. If the client treats that as SERVFAIL or whatever it does with unverified answers, that's fine too. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop