As I said,

Who runs Google's DNS servers? Google. Who runs Yahoo's DNS servers? Yahoo. If you're going to connect to Google, their web server is going to see your full IP address. Why does it matter if their DNS server might also see part of it a few milliseconds beforehand?

Google's DNS server isn't going to see your Yahoo traffic or your joeblogs.com traffic, it's only going to see your Google traffic in which case Google was going to see your IP address anyway. Making the distinction between Google's DNS server and Google's webserver seeing your IP address makes no sense here. The info obtained by the DNS server is a subset of the info obtained by the web server.

The relevant party here is Google or Yahoo a whole. Are you trying to say that Yahoo's yahoo.com authoritative DNS servers and Yahoo's web servers count as separate parties for privacy purposes?

For smaller websites this can actually be true as they may not manage their own DNS and so there is another party here (probably their hosting provider who can sniff all their traffic anyway). But nobody here is accusing smaller websites and their DNS providers of trying to enslave the world with a DNS RFC.

DNS blacklists are very very far away from the nonsensical privacy concerns all over this thread. You are correct, if you do your blacklist lookups through a 3rd party resolver which implements this optional extension then the blacklist provider may find out your /24 for any lookups you do that aren't in the resolver's cache already. If that bothers you, use a different resolver or use the opt-out mechanism which signals to the resolver not to pass any information but it seems odd to me that someone trusts their 3rd-party DNS resolver (who gets to see all your queries) more than they trust the blacklist provider (who might get to see some obfuscated queries).

The other examples do no involve addresses and even for the blacklist example you put "address" in quotes, so I think you agree that there are no "OMG Google wants to know where I am and force me into an arranged marriage" issues here.

As for caching, read the RFC, it covers it. Caching is not thrown out. It does become harder for any resolver that implements the this optional extension, the cache key becomes (query, address_prefix) so you need a bigger cache, however the resolver is in control of how big or small an address_prefix it sends. That's the trade off for giving better answers to your users.

The whole thing is a non-event if you run a resolver at home or in a small office. As long as the resolver is networkologically close to its users there is no need to bother with this extension. Even if you run a massive world-spanning resolver, you can ignore this extension if you like and continue to give your users crappy results.

The only people who will implement this are geographically diverse DNS providers and geographically diverse content providers - it just helps them play well together.

And is there any service where you do an address lookup and then toss the result without sending anything to the resulting IP address?

Yes there's more than http but the same model applies to all services that use DNS for address lookup, you eventually send something to the address that you looked up and the server can then see your full IP address

If you think I'm wrong, please give an example.

You absolutely are misunderstanding it (or rather you are correctly understanding most of the posts here but they have little to do with the real proposal). You will not have to submit anything before doing anything. Nobody is getting any extra information here. If you think websites don't already know where you are, think again!

In terms of telephone calls, DNS is the telephone directory service. You want to phone www.google.com, so you phone .com and ask them for the google.com number. Then you phone google.com and ask them for the www.google.com number. Because google has branches of www all over the country, they give you a number for www in your local area, so the call is cheaper and better line quality. They can do this because they can see your caller id so they know roughly where you live.

Now lets say you don't like having to do so many steps all the time so you use a 3rd party service, let's call it ultraphone. You always ring the same number for ultraphone and they perform all the steps and give you back the final answer. The problem is that the google.com now sees ultraphone's caller id not yours so you get back a number that's in ultraphone's home-town not your home-town.

This proposed extension just allows ultraphone to tell google "I'm calling on behalf of please give me the number you would give them".

So you get a number that's local for you instead of one that's local for ultraphone.

The problem that is being fixed here is that ultraphone saves you hassle while getting the phone number but it gets you a bad phone number (not a wrong one just not the best one for you). Right now you have to decide which you prefer, fast lookups with sub-optimal results or awkward lookups with optimal results.

This extension lets you have fast lookups with optimal results.

Assuming you were going to call www.google.com (and not just looking up their number for fun) then google was going to see your caller id anyway. This extension just changes when it sees it. Right now if you use a 3rd party DNS provider it gets your IP too late to do good load balancing and that hurts users and may consume extra bandwidth.

Chances are that if you don't know about this stuff then you're using your ISP's DNS service and for some big ISPs that may mean a server hundreds of miles away, giving you sub-optimal answers.

But as you said above

So they can target the ad perfectly well already

Where this benefits google and other websites is that people who use ultradns, opendns or just an ISP that has a small number of resolvers for a large geographic area will get correctly load balanced.

Where this benefits ultradns, opendns and google public dns is that people will stop complaining that youtube gets slow when they use one of these public resolvers and so people will be happier to use them.

There are at most 3 other parties involved: your ISP, your DNS resolver (if you don't manage that yourself) and the website (if the website does not run its own DNS service there is a one more party but it's probably the website's hosting provider which could sniff all of their traffic anyway).

With or without this extension all 3 of these other parties have access to your IP address and can prevent you from accessing the site.

If you think I'm still missing the point, please give an example where this extension enables some other interested party to snoop or block you.

What intermediate servers? The only parties involved here are you, the website and a 3rd-party resolver that you have chosen to use.

If you don't trust your 3rd-party resolver then you're screwed with or without this extension because this resolver can see your full IP address and can lie to you about DNS (e.g. sending you to an ad site instead of saying "no such domain" or whatever).

If you don't trust the website then why are you trying to connect to it? The website will get your full IP address as soon as you connect and can then do whatever it likes with that.

Assuming you are actually planning on connecting to the website and not just doing DNS requests for the sake of it, nobody gets any information that they weren't going to get anyway and nobody has any opportunity to block you that they weren't going to have anyway.

You are assuming that the summary bears any relation to reality!

The proposal is that your ISP's resolver will pass your approximate IP address when doing DNS a request on your behalf so that you can be sent to a close-by server for your actual TCP connection.

What extra information does someone get here? How does this allow "any interested party to look at your DNS requests"?

On the Iran point, if the website wants to block users from Iran, they can do that when you make the TCP connection - at that time they get your exact IP address and can apply any filtering policy they like.