In message <fb835756-2c46-40a9-88ed-2f8adf812...@fugue.com>, Ted Lemon writes: > > On Feb 7, 2017, at 4:48 PM, Mark Andrews <ma...@isc.org> wrote: > > Go add a empty zone (SOA and NS records only) for alt to your > > recursive server. This is what needs to be done to prevent > > privacy leaks. > > No, the recursive server can just cache the proof of nonexistence. I > didn't query the root when I did my testâI ran the query through > comcast's servers. Worked just fine. Yes, if you configure your local > server to lie, that won't work. That's by design.
And how does the server get the proof of non-existence? It needs to leak a query. You server asked comcasts servers. They in turn asked the root servers. By doing so you leaked the query to both comcast and the root. Unless you have aggressive negative caching or qname minimisation you will leak all the leaked *.alt names. Are you requiring that every recursive nameserver on the planet older than a couple of months be upgraded rather than reconfigured to get privacy? Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop