Hi Niall & Randy,

I'm using my version of DJB's dnscache 
[https://www.fehcom.de/ipnet/djbdnscurve6.html]:

The test claims false results given a 'warm' cache.

./dnstext a.b.qnamemin-test.internet.nl
NO - QNAME minimisation is NOT enabled on your resolver :(

I just used the 100k DNS data sets provided here recently to feed my cache ;-)

Query/response path:

myip            -> 185.49.140.60        TXT a.b.qnamemin-test.internet.nl
185.49.140.60   -> myip                         TXT 
a.b.qnamemin-test.internet.nl NS ns.qnamemin.test.internet.nl (glue) A 
185.49.141.12 AAA 2a04:b900:0:100::8:28
myip            -> 185.49.141.12        TXT a.b.qnamemin-test.internet.nl
185.49.141.12 -> myip                   TXT a.b.qnamemin-test.internet.nl (text 
...)

Sorry, this test doesn't mean anything, since it can not distinguish the way 
the query comes in.

BTW: It is not 'privacy' RFC 7816 is claiming; it is query obfuscation at the 
NS, not more. 

Remark: QnameMin only helps in case many labels are encountered; this is not 
common in today's internet any more. Just to get rid for the first label ist 
not worth to include more complexity in the code; IMHO. 

Regards.
--eh. 


> Am 27.04.2019 um 11:49 schrieb Niall O'Reilly <niall.orei...@ucd.ie>:
> 
> On 26 Apr 2019, at 10:02, Mirjam Kuehne wrote:
> 
>> Woute de Vries, Moritz Mueller and others did a study on qmin deployment
>> and the associated challenges:
>> 
>> https://labs.ripe.net/Members/wouter_de_vries/make-dns-a-bit-more-private-with-qname-minimisation
> 
> In which they mention:
>> 
>> You can test whether your resolver supports qmin by querying the domain 
>> below, using the command line tool dig, which relies on the same technique:
>> 
>> dig a.b.qnamemin-test.internet.nl TXT
> 
> I really appreciate it when people don't just do the study, but let others
> know how to confirm that their configuration looks "right" from the outside.
> 
> Thanks to the authors!
> 
> /Niall
> 
> 

Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id 7E4034BE








Reply via email to