On Aug 16, 2019, at 09:26, Vladimír Čunát <vladimir.cunat+i...@nic.cz> wrote: > > On 8/16/19 3:10 PM, Ted Lemon wrote: >> If you look up “onion”, you have revealed that the user is trying to >> use tOR, even if you haven’t revealed where they are going. > > Well, in this particular case the tOR client would probably better not > send onion queries to DNS resolver, but generally there would be a leak, > though the TTL is a whole day. At least unless combined with one of the > "local root" schemes (which are so far not commonly deployed, I think).
It could leak accidentally if the URL gets sent to the wrong browser. >> What’s the motivation behind this proposal? > > As I wrote, supplying the answer with a DNSSEC proof seems better to > me. And it makes my camel a tiny bit happier, I guess :-) At that > moment I didn't realize that if you forward to a resolver that does > respect that SHOULD, you will not be able to obtain the proof in this > way and consequently regress, so the change would be double-edged in > this respect. There is no need for DNSSEC proof of the nonexistence of these zones. They are nonexistent by postulate, not by theorem. :) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
