In message <em8bf94e58-4db5-4277-86ce-c0c5c0dc893f@bodybag>, "Adrien de Croy"
writes:
>
> that's correct. It looks in that document like a quote from the IAB,
> but if you're saying it's not, I then would have to challenge the
> logical conclusion asserted in that second paragraph.
>
> I don't see why it necessarily follows that having a single tree with a
> single root creates a requirement for support for multiple resolution
> protocols.
Because the only other way to be able to distingish between a onion
address and a DNS name would be to have onion use labels with a
wire representaion that are longer that 63 octets or with overall
lengths greater that 255 wire octets or you have to prefix all names
with DNS and ONION to identify the resolution namespace. Almost
any string of characters will form a valid DNS name.
This was my signature back in 1995. Note you had to NAME the NAMESPACES.
Mark Andrews, CSIRO Div Maths & Stats
Locked Bag 17, North Ryde, NSW 2113, Australia.
PHONE: +61 2 325 3148 INTERNET:
ma...@syd.dms.csiro.au
UUCP: ....!uunet!syd.dms.csiro.au!marka
None of us grey beards want to go back to those days.
We could have added "*.onion 604800 IN NULL" to the root zone and
fixed all the resolvers to stop searching on NOERROR but that does
not stop the fact that you want to use TOR alone with who you want
to talk to leaking unintentionally.
> The thousands of authors of other protocols and systems don't seem to
> have had too much trouble so far just using DNS where required, and
> putting resolution into their own protocols outside the tree. Why break
> the whole tree for some nebulous result which surely in all cases can be
> worked around with a smaller consequence than having to deploy new DNS
> to the entire world.
>
> Even a DSL/NAT box does DNS forwarding, do we expect all those cheap
> router box vendors to patch out the firmware for this any time soon?
No. The expectation is that future boxes that they ship will
implement the protocol and not pass on the leaked name. The
expectation is that any update issued will also address this.
The RFC allows DNS only resolvers, proxies and recursive servers
to all generate NXDOMAIN responses in the event of a leak. This
will result in SERVFAIL in some cases as the validation of the
response will fail but it will still prevent the leak spreading.
> Adrien
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
