On Tue, Mar 17, 2015 at 9:11 PM, Andrew Sullivan <a...@anvilwalrusden.com> wrote:
> On Tue, Mar 17, 2015 at 12:59:25PM -0400, Richard Barnes wrote: > > > > > > > >If an application does not implement tor, and is not tor aware, it > > > >_will_ do a DNS lookup. You can't really go ask the world to stop > > > >doing that. You need to deal with that fact. > > > > > > > The entire point of the special use domains registry is to tell general > > clients how to behave with regard to special-use names. It exists > > precisely to tell the world the DNS names for which they should not do > > lookups, because they require different handling. > > Actually, my understanding is that the point of the special use > domains registry is to create a repository for applications so that, > _if_ they are looking at names in domain name slots and trying to do > something sensible, they know where to look to learn about those > sensible things. > > There is no way for a document to specify, "Don't look stuff up in the > DNS." If we had a reliable way to make that rule, AS112 wouldn't have > been necessary. I think there's nothing wrong with the document > saying that you _shouldn't_ look them up, because they're promised not > to give you a response anyway so it's just pollution traffic. But do > not delude yourself into thinking that adding stuff to the special > names registry will do anything to prevent leaking. It will not. > Absolutely. The only nit I would pick with the above is that it's perfectly possible to *specify* what should be done, but of course one should not expect that to instantly change everyone's behavior. Clearly, publishing this document will not instantly stop leakage. But providing good guidance to implementors can help stop it sooner in more cases -- at the recursive resolver instead of the root; at the stub resolver if not the recursive resolver; at the client if not the stub resolver. Reducing leakage is also not the only benefit of getting this traffic off the DNS. It seems like lowering the rate of bogus queries would be an operational plus. Stopping the queries sooner also makes software fail faster and more cleanly. --Richard > > A > > -- > Andrew Sullivan > a...@anvilwalrusden.com >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
