I have to say I'm startled to see that people here aren't aware that
.onion is entirely handled in applications.
a google search for "DNS .onion leaks" comes up with many links, many
relating to reported bugs in browsers.
Yeah, that's why it'd be nice if the DNS resolver rejected them rather
than telling the world what you were trying to look for in .onion land.
So I don't know if we can truly claim that resolvers are being shielded from
.onion by the applications. Maybe it's better now, it would be interesting
if Symantec were to update this.
They aren't. That's why it'd be nice to make that bug less leaky.
don't leak into the DNS. The only thing that anyone's asking DNS
developers to do is to fail .onion requests rather than forwarding
them along.
That's the problem. Creating new requirements for DNS developers to do
anything at all is a huge problem.
It's not a requirement. It's a request. I expect it's a lot easier than
whatever you have to do to deal with .local. If we adopt .alt, you can
stub that out too and with any luck you're done.
Having said that, I wish there was a way with a single DNS lookup one could
resolve both/either IPv4 and/or IPv6 addresses from a name with a single
query (e.g. the "give me any version address" query), rather than having to
make 2 lookups and fail over etc. Would basically halve the amount of DNS
traffic on the network and resolve a lot of pathological cases.
Surely you've been reading the draft-vavrusa-dnsop-aaaa-for-free thread.
R's,
John
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
