On 8/16/19 3:10 PM, Ted Lemon wrote: > If you look up “onion”, you have revealed that the user is trying to > use tOR, even if you haven’t revealed where they are going.
Well, in this particular case the tOR client would probably better not send onion queries to DNS resolver, but generally there would be a leak, though the TTL is a whole day. At least unless combined with one of the "local root" schemes (which are so far not commonly deployed, I think). > What’s the motivation behind this proposal? As I wrote, supplying the answer with a DNSSEC proof seems better to me. And it makes my camel a tiny bit happier, I guess :-) At that moment I didn't realize that if you forward to a resolver that does respect that SHOULD, you will not be able to obtain the proof in this way and consequently regress, so the change would be double-edged in this respect. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
