Brian Dickson <[email protected]> wrote: > > Precisely because you want a non-TLD (we should remember this is NOT an > actual TLD), for a number of reasons: > > - You want to be able to limit the places any leaked traffic goes > - Currently this would be the Root Servers
And any resolvers in between there and roaming users. > - The typical content of enterprisey internal-only names (the DNS > queries themselves) are sensitive in nature > - I have had the opportunity to view DITL data from ISP resolvers, > and the nature of these kinds of queries was unsettling > - In addition to leaking information, these names generally should > not have any presence in DNS caches, which makes them excellent > candidates > for easy poisoning These issues happen in exactly the same way whether you squat on a tld or use a private subdomain. The draft doesn't talk about random subdomains; instead it says that part of the point is to make names as short as possible. And our experience with telling people to use random parts of private address space (as in RFC 1918, and IPv6 GUA) is that they don't. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ North Foreland to Selsey Bill: Southerly or southwesterly, becoming variable at times, 2 or 3, occasionally 4 until later. Smooth, occasionally slight. Fog patches for a time near shore. Moderate or good, occasionally very poor for a time near shore. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
