top | item 19469597

(no title)

louiz | 7 years ago

That's wrong though, the ICANN sees the whole domain, dissidents.github.io and replies with "I don't know, but ask the owner of .IO which is xx.xx.xx.xx"

Well, unless the servers implement https://tools.ietf.org/html/rfc7816, which is experimental and quite recent.

Unbound seems to support it, which is great (and that makes you right, actually, if the user installs this software). I don't know for others.

discuss

a1369209993|7 years ago

Actually, this appears to be implementation-specific? The resolver I looked at a while ago[0] did something like:

  @. io NS -> ns1.io # (for example[1])
  @. ns1.io A -> x.x.x.x
  @x.x.x.x github.io NS -> ns1.github.io
  @x.x.x.x ns1.github.io A -> y.y.y.y
  @y.y.y.y dissidents.github.io A -> z.z.z.z
  return z.z.z.z

caching every step of the way. Admittedly, I don't know that it wasn't going out of it's way to avoid leaking, but this was circa 2012 or so, so it predates rfc7816 at least.

0: found by googling "dns recursive resolver example code" or something to that effect

1: There's actually several NS entries, with retrying/failover.