On 7/18/15, 3:39, "DNSOP on behalf of Ralf Weber" <[email protected] on behalf of [email protected]> wrote: >I'm ok with .onion being >a special name, but we should just do that by normal DNS >mechanism. What's wrong with answering REFUSED?. Answering >NXDomain is much harder in a DNSSEC world.
If "onion" is not delegated in the root zone, then DNS servers will answer NXDOMAIN for it - without change. $ dig something.onion A ; <<>> DiG 9.8.3-P1 <<>> something.onion A ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55221 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;something.onion. IN A ;; ANSWER SECTION: something.onion. 15 IN A 92.242.140.2 ;; Query time: 14 msec ;; SERVER: 68.105.28.11#53(68.105.28.11) ;; WHEN: Sat Jul 18 02:26:34 2015 ;; MSG SIZE rcvd: 49 Oh, wait, oops. My ISP's recursive name server likes to substitute landing pages. ;) Sigh. This wasn't something I had thought of. (Seriously, this isn't to make a point. It's another wrinkle.)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
