>You may not care that validating stub resolvers that ask for
>example.local get back answers that can be validated as NXDOMAIN
>without leaking queries to the root but I do.  Just adding the zone
>locally without having the insecure delegation results in just that

It just occurred to me that we seem to disagree about what problem
we're solving here.

If we see a DNS query for .local or .onion, an application is trying
to use mDNS or Tor on a machine that doesn't implement them.  On
machines that do implement mDNS and Tor, neither does DNSSEC
signatures, so there is no reason to provide answers that the
application is not looking for.

So a cache stub that provides unsigned answers to .local and .onion
queries is just fine.  If the client treats that as SERVFAIL or
whatever it does with unverified answers, that's fine too.


DNSOP mailing list

Reply via email to