In message <cfb6beb2-4110-406a-a917-fc6361061...@fugue.com>, Ted Lemon writes: > > On Feb 9, 2017, at 6:28 PM, Mark Andrews <ma...@isc.org> wrote: > > Because QNAME minimization does not stop on NXDOMAIN. Too much > > broken stuff out there to stop on NXDOMAIN. The purpose of QNAME > > minimization is prevent leaking too much information about the qname > > to the parent zone. It does nothing to prevent leakage of the QNAME > > to the containing zone. > > Er, maybe I don't understand qname minimization correctly. My > understanding is that the way it works is that the recursive resolver > does not forward the entire query up the chain: it just forwards the bit > it needs resolved to answer the next question. So, if you ask for > foo.alt, the resolver should first ask for "." (except it probably > already has it), and then "alt.", which will return an NXDOMAIN. So it > will never ask anybody for foo.alt, because it has no-one to ask.
No, it will ask for foo.alt because: 1) there is too much brokeness out there that returns NXDOMAIN instead of a NODATA for a ENT. 2) the cache don't have a DNSSEC proof of non existence for foo.alt without also having agressive negative caching (code and configuration) and the answer for alt having validated as a secure NXDOMAIN. QNAME minimisation prevents the root learning about foo.com because there is a delegation for com in the root zone. This does not apply for foo.alt. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
