Could your concern be addressed with secure denial of existence plus the right text about how to configure recursive resolvers?
On Feb 10, 2017 1:02 AM, "Mark Andrews" <ma...@isc.org> wrote: > > In message <e5ab0a08-0dda-496a-811e-25c1ba276...@nominum.com>, Ted Lemon > writes > : > > > > On Feb 9, 2017, at 8:57 PM, Mark Andrews <ma...@isc.org> wrote: > > > I'm developing software that will be run on private internets with > > > various degrees of compentence from the adminitrators as well as > > > the public Internet. That private internet may have a ENT for ALT > > > that returns NXDOMAIN. The server has to work in that environment. > > > > I don't know what an ENT is. > > Empty Non Terminal which is a quite common acronym in this group. > > > In any case, I don't see what this has to do with what we are talking > > about. It is an absolute fact that if you want ALT queries not to leak > > you need to have a specially-configured recursive resolver, > > Pray tell what specially-configured recursive resolver works? > > > or else one that is really quite up to date. > > Actually one from the future. We don't have a RFC that say to perform > agressive negative caching. > > > If you have one that is really quite > > up to date, a secure denial of existence will do the right thing. > > Only if you also validate. > > You are putting the "you can play bar" for privacy at the ceiling. > > > So we are really just arguing about how to specially configure > > out-of-date resolvers. This is really out of scope. There is nothing > > dnsop can do to make sure that these queries do not leak, so we should > > just decide what the right design is assuming that all the moving parts > > are working correctly, and leave it at that. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
