Bug 1127

Summary: Stricter qname minimisation
Product: unbound Reporter: Stéphane Bortzmeyer <bortzmeyer+nlnetlabs>
Component: serverAssignee: unbound team <unbound-team>
Status: ASSIGNED ---    
Severity: enhancement CC: cathya, ralph
Priority: P5    
Version: 1.5.10   
Hardware: All   
OS: All   

Description Stéphane Bortzmeyer 2016-10-10 18:29:49 CEST
Currently, Unbound with "qname-minimisation: yes" falls back to the full QNAME when it receives a NXDOMAIN. This is to work around broken name servers such as Akamai's. It defeats the point of QNAME minimisation (privacy).

It would be nice if the "qname-minimistaion:" parameter were tri-valued: yes, no and "strict". The new value "strict" would mean "be picky, apply the DNS rules stricly, do not fallback when you received a NXDOMAIN".
Comment 1 Ralph Dolmans 2016-10-11 13:52:53 CEST
Hi Stephane,

I added a qname-minimisation-strict configuration option. When enabled Unbound will not fall-back to the full QNAME. This option only has effect when qname-minimisation is enabled.

Also note that, even without the strict option, Unbound will not fall-back when receiving an NXDOMAIN rcode for a DNSSEC signed zone.

Regards,
-- Ralph
Comment 2 Stéphane Bortzmeyer 2016-10-14 14:02:21 CEST
Thanks! Testing soon.