On Tue, Feb 7, 2017 at 1:48 PM, Mark Andrews <ma...@isc.org> wrote: > > In message <18f2eb0d-5bd0-4cc5-b02c-2e5ea0b8c...@fugue.com>, Ted Lemon > writes: > > Hm. When I look for foo.alt, what I get is NXDOMAIN, not SERVFAIL. > > When I validate, I get a secure denial of existence. This is the > > correct behavior. Why do you think we would get a SERVFAIL? > > Because your testing is incomplete. > > Go add a empty zone (SOA and NS records only) for alt to your > recursive server. This is what needs to be done to prevent > privacy leaks. > > Here are some possible alternatives (to having the empty zone be named "alt.").
First: make the locally served empty zone be "empty.as112.arpa". Or, second method: have the DNAME RDATA be "alt.empty.as112.arpa", and the locally served zone be the same name. Or, third, have some other name for the zone (anything other than alt, or really anything that doesn't collide with a global name), and then use a local DNAME from "empty.as112.arpa" (or "alt.empty,as112.arpa") to that zone's name (e.g. "homenet" or "homenet.local" or whatever you wish). Since all of the above occur at or below the transition to unsigned, they should validate. (I need to test these, but I don't see why they wouldn't work, and all of the above avoid leaking queries to the root or to AS112 servers.) Brian > Configure another recursive server to forward its queries to this > server and enable validation. > > Now ask for foo.alt from this second server. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
