On Feb 9, 2017, at 8:57 PM, Mark Andrews <ma...@isc.org> wrote: > I'm developing software that will be run on private internets with > various degrees of compentence from the adminitrators as well as > the public Internet. That private internet may have a ENT for ALT > that returns NXDOMAIN. The server has to work in that environment.
I don't know what an ENT is. In any case, I don't see what this has to do with what we are talking about. It is an absolute fact that if you want ALT queries not to leak you need to have a specially-configured recursive resolver, or else one that is really quite up to date. If you have one that is really quite up to date, a secure denial of existence will do the right thing. So we are really just arguing about how to specially configure out-of-date resolvers. This is really out of scope. There is nothing dnsop can do to make sure that these queries do not leak, so we should just decide what the right design is assuming that all the moving parts are working correctly, and leave it at that.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
