On 2018-11-01 21:53, Rainer Duffner wrote:
Am 01.11.2018 um 21:26 schrieb Jeroen Massar jeroen@massar.ch: TLDR:
On a related note:
Does anyone run a resolver with QNAME-minimization enabled?
Any problems, common or specific to certain domains?
At least everybody running unbound is (as it is the default) and unbound is very often deployed in high-speed recursor situations.
Do note that unbound has a not-default-on strict mode. That means in non-strict mode (default) it will retry when failures happen. (As such, a MITM/bad-authoritive could introduce a failure to learn more)
The config option reads and explains reasonably well: ------ qname-minimisation-strict: <yes or no> QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to potentially broken nameservers. A lot of domains will not be resolvable when this option in enabled. Only use if you know what you are doing. This option only has effect when qname-minimisation is enabled. Default is off. ----
Exact details are in the archives of the unbound mailing list...
Greets, Jeroen