Dear Edward, I think what you wrote is overall a pretty accurate analysis. What I would want to point out that
> What is needed is a change to all applications that handle > identifiers that resemble printed domain names so that they know how > to resolve the names. They need to know when an identifier is a GNS > identifier or a Tor identifier. (Would leaking a GNS identifier to > Tor be as bad as leaking it to DNS?) That’s a problem to be solved, > even if this draft is not the place to do it. WIthout this, it’s > likely that identifiers will leak all over. is not exactly correct, as for example GNS intercepts DNS queries in NSS or using iptables, allowing applications to remain ignorant of the use of GNS. So sometimes applications do not need to be changed and might never need to know. However, that said, generally GNS becomes MUCH more powerful if applications support it explicitly, as features such as resolving TLSA records or GnuPG public keys are obviously not possible via mechanisms like NSS. I believe DNSSEC suffers similarly from the burden of legacy APIs. You are of course right that legacy applications that do not explicitly support the pTLDs significantly increase the risk of pTLD queries escaping to DNS, as there is then a risk of the overall system not being correctly configured. Best, Christian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
