Hi Niall & Randy, I'm using my version of DJB's dnscache [https://www.fehcom.de/ipnet/djbdnscurve6.html]:
The test claims false results given a 'warm' cache. ./dnstext a.b.qnamemin-test.internet.nl NO - QNAME minimisation is NOT enabled on your resolver :( I just used the 100k DNS data sets provided here recently to feed my cache ;-) Query/response path: myip -> 185.49.140.60 TXT a.b.qnamemin-test.internet.nl 185.49.140.60 -> myip TXT a.b.qnamemin-test.internet.nl NS ns.qnamemin.test.internet.nl (glue) A 185.49.141.12 AAA 2a04:b900:0:100::8:28 myip -> 185.49.141.12 TXT a.b.qnamemin-test.internet.nl 185.49.141.12 -> myip TXT a.b.qnamemin-test.internet.nl (text ...) Sorry, this test doesn't mean anything, since it can not distinguish the way the query comes in. BTW: It is not 'privacy' RFC 7816 is claiming; it is query obfuscation at the NS, not more. Remark: QnameMin only helps in case many labels are encountered; this is not common in today's internet any more. Just to get rid for the first label ist not worth to include more complexity in the code; IMHO. Regards. --eh. > Am 27.04.2019 um 11:49 schrieb Niall O'Reilly <niall.orei...@ucd.ie>: > > On 26 Apr 2019, at 10:02, Mirjam Kuehne wrote: > >> Woute de Vries, Moritz Mueller and others did a study on qmin deployment >> and the associated challenges: >> >> https://labs.ripe.net/Members/wouter_de_vries/make-dns-a-bit-more-private-with-qname-minimisation > > In which they mention: >> >> You can test whether your resolver supports qmin by querying the domain >> below, using the command line tool dig, which relies on the same technique: >> >> dig a.b.qnamemin-test.internet.nl TXT > > I really appreciate it when people don't just do the study, but let others > know how to confirm that their configuration looks "right" from the outside. > > Thanks to the authors! > > /Niall > > Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id 7E4034BE