Hi Niall & Randy, I'm using my version of DJB's dnscache [https://www.fehcom.de/ipnet/djbdnscurve6.html]: The test claims false results given a 'warm' cache. ./dnstext a.b.qnamemin-test.internet.nl NO - QNAME minimisation is NOT enabled on your resolver :( I just used the 100k DNS data sets provided here recently to feed my cache ;-) Query/response path: myip -> 185.49.140.60 TXT a.b.qnamemin-test.internet.nl 185.49.140.60 -> myip TXT a.b.qnamemin-test.internet.nl NS ns.qnamemin.test.internet.nl (glue) A 185.49.141.12 AAA 2a04:b900:0:100::8:28 myip -> 185.49.141.12 TXT a.b.qnamemin-test.internet.nl 185.49.141.12 -> myip TXT a.b.qnamemin-test.internet.nl (text ...) Sorry, this test doesn't mean anything, since it can not distinguish the way the query comes in. BTW: It is not 'privacy' RFC 7816 is claiming; it is query obfuscation at the NS, not more. Remark: QnameMin only helps in case many labels are encountered; this is not common in today's internet any more. Just to get rid for the first label ist not worth to include more complexity in the code; IMHO. Regards. --eh.
Am 27.04.2019 um 11:49 schrieb Niall O'Reilly <niall.oreilly@ucd.ie>:
On 26 Apr 2019, at 10:02, Mirjam Kuehne wrote:
Woute de Vries, Moritz Mueller and others did a study on qmin deployment and the associated challenges:
https://labs.ripe.net/Members/wouter_de_vries/make-dns-a-bit-more-private-wi...
In which they mention:
You can test whether your resolver supports qmin by querying the domain below, using the command line tool dig, which relies on the same technique:
dig a.b.qnamemin-test.internet.nl TXT
I really appreciate it when people don't just do the study, but let others know how to confirm that their configuration looks "right" from the outside.
Thanks to the authors!
/Niall
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id 7E4034BE