On Feb 9, 2017, at 6:28 PM, Mark Andrews <ma...@isc.org> wrote: > Because QNAME minimization does not stop on NXDOMAIN. Too much > broken stuff out there to stop on NXDOMAIN. The purpose of QNAME > minimization is prevent leaking too much information about the qname > to the parent zone. It does nothing to prevent leakage of the QNAME > to the containing zone.
Er, maybe I don't understand qname minimization correctly. My understanding is that the way it works is that the recursive resolver does not forward the entire query up the chain: it just forwards the bit it needs resolved to answer the next question. So, if you ask for foo.alt, the resolver should first ask for "." (except it probably already has it), and then "alt.", which will return an NXDOMAIN. So it will never ask anybody for foo.alt, because it has no-one to ask.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
