Bugzilla – Full Text Bug Listing
|Summary:||Stricter qname minimisation|
|Product:||unbound||Reporter:||Stéphane Bortzmeyer <bortzmeyer+nlnetlabs>|
|Component:||server||Assignee:||unbound team <unbound-team>|
Description Stéphane Bortzmeyer 2016-10-10 18:29:49 CEST
Currently, Unbound with "qname-minimisation: yes" falls back to the full QNAME when it receives a NXDOMAIN. This is to work around broken name servers such as Akamai's. It defeats the point of QNAME minimisation (privacy). It would be nice if the "qname-minimistaion:" parameter were tri-valued: yes, no and "strict". The new value "strict" would mean "be picky, apply the DNS rules stricly, do not fallback when you received a NXDOMAIN".
Comment 1 Ralph Dolmans 2016-10-11 13:52:53 CEST
Hi Stephane, I added a qname-minimisation-strict configuration option. When enabled Unbound will not fall-back to the full QNAME. This option only has effect when qname-minimisation is enabled. Also note that, even without the strict option, Unbound will not fall-back when receiving an NXDOMAIN rcode for a DNSSEC signed zone. Regards, -- Ralph
Comment 2 Stéphane Bortzmeyer 2016-10-14 14:02:21 CEST
Thanks! Testing soon.