Bug 1127 - Stricter qname minimisation
Stricter qname minimisation
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
1.5.10
All All
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-10 18:29 CEST by Stéphane Bortzmeyer
Modified: 2016-10-14 14:02 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stéphane Bortzmeyer 2016-10-10 18:29:49 CEST
Currently, Unbound with "qname-minimisation: yes" falls back to the full QNAME when it receives a NXDOMAIN. This is to work around broken name servers such as Akamai's. It defeats the point of QNAME minimisation (privacy).

It would be nice if the "qname-minimistaion:" parameter were tri-valued: yes, no and "strict". The new value "strict" would mean "be picky, apply the DNS rules stricly, do not fallback when you received a NXDOMAIN".
Comment 1 Ralph Dolmans 2016-10-11 13:52:53 CEST
Hi Stephane,

I added a qname-minimisation-strict configuration option. When enabled Unbound will not fall-back to the full QNAME. This option only has effect when qname-minimisation is enabled.

Also note that, even without the strict option, Unbound will not fall-back when receiving an NXDOMAIN rcode for a DNSSEC signed zone.

Regards,
-- Ralph
Comment 2 Stéphane Bortzmeyer 2016-10-14 14:02:21 CEST
Thanks! Testing soon.