- From: Mark Nottingham <mnot@mnot.net>
- Date: Sat, 28 Nov 2015 10:40:32 +1100
- To: Cory Benfield <cory@lukasa.co.uk>
- Cc: Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>
Hi Cory, > On 27 Nov 2015, at 7:32 pm, Cory Benfield <cory@lukasa.co.uk> wrote: > > I agree with Willy here, sadly. I have absolutely no intention of adding this exception for .onion names to any software I work on. > > Why is this the DNS client’s problem? If we really don’t want .onion names to leak over DNS, why don’t we add a new DNS RFC that specifies that conformant resolvers don’t emit queries for .onion names? 7686 requires both resolvers and applications to stop emitting queries for .onion names. This is defence in depth; updating DNS resolvers takes time, so applications that care about their users' privacy will assure that those queries are stopped earlier. You can certainly choose not to implement RFC7686 (there are no RFC police), and there won't be any reduction in interoperability, just security (due to the leakage of requests). That said, I don't see how it serves your users well to reject it out of hand. If they accidentally make .onion queries without configuring to use Tor, they'll be unpleasantly surprised (and the consequences could be much worst, depending on their situation). Cheers, -- Mark Nottingham https://www.mnot.net/
Received on Friday, 27 November 2015 23:41:03 UTC