In message <e5ab0a08-0dda-496a-811e-25c1ba276...@nominum.com>, Ted Lemon writes : > > On Feb 9, 2017, at 8:57 PM, Mark Andrews <ma...@isc.org> wrote: > > I'm developing software that will be run on private internets with > > various degrees of compentence from the adminitrators as well as > > the public Internet. That private internet may have a ENT for ALT > > that returns NXDOMAIN. The server has to work in that environment. > > I don't know what an ENT is.
Empty Non Terminal which is a quite common acronym in this group. > In any case, I don't see what this has to do with what we are talking > about. It is an absolute fact that if you want ALT queries not to leak > you need to have a specially-configured recursive resolver, Pray tell what specially-configured recursive resolver works? > or else one that is really quite up to date. Actually one from the future. We don't have a RFC that say to perform agressive negative caching. > If you have one that is really quite > up to date, a secure denial of existence will do the right thing. Only if you also validate. You are putting the "you can play bar" for privacy at the ceiling. > So we are really just arguing about how to specially configure > out-of-date resolvers. This is really out of scope. There is nothing > dnsop can do to make sure that these queries do not leak, so we should > just decide what the right design is assuming that all the moving parts > are working correctly, and leave it at that. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
