This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] New on RIPE Labs: Making the DNS More Private with QNAME Minimisation

Previous message (by thread): [dns-wg] New on RIPE Labs: Making the DNS More Private with QNAME Minimisation
Next message (by thread): [dns-wg] New on RIPE Labs: Making the DNS More Private with QNAME Minimisation

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Erwin Hoffmann feh at fehcom.de
Sat Apr 27 22:25:02 CEST 2019

Hi Niall & Randy,

I'm using my version of DJB's dnscache [https://www.fehcom.de/ipnet/djbdnscurve6.html]:

The test claims false results given a 'warm' cache.

./dnstext a.b.qnamemin-test.internet.nl
NO - QNAME minimisation is NOT enabled on your resolver :(

I just used the 100k DNS data sets provided here recently to feed my cache ;-)

Query/response path:

myip 		-> 185.49.140.60 	TXT a.b.qnamemin-test.internet.nl
185.49.140.60	-> myip 			TXT a.b.qnamemin-test.internet.nl NS ns.qnamemin.test.internet.nl (glue) A 185.49.141.12 AAA 2a04:b900:0:100::8:28
myip		-> 185.49.141.12	TXT a.b.qnamemin-test.internet.nl
185.49.141.12 -> myip			TXT a.b.qnamemin-test.internet.nl (text ...)

Sorry, this test doesn't mean anything, since it can not distinguish the way the query comes in.

BTW: It is not 'privacy' RFC 7816 is claiming; it is query obfuscation at the NS, not more. 

Remark: QnameMin only helps in case many labels are encountered; this is not common in today's internet any more. Just to get rid for the first label ist not worth to include more complexity in the code; IMHO. 

Regards.
--eh. 


> Am 27.04.2019 um 11:49 schrieb Niall O'Reilly <niall.oreilly at ucd.ie>:
> 
> On 26 Apr 2019, at 10:02, Mirjam Kuehne wrote:
> 
>> Woute de Vries, Moritz Mueller and others did a study on qmin deployment
>> and the associated challenges:
>> 
>> https://labs.ripe.net/Members/wouter_de_vries/make-dns-a-bit-more-private-with-qname-minimisation
> 
> In which they mention:
>> 
>> You can test whether your resolver supports qmin by querying the domain below, using the command line tool dig, which relies on the same technique:
>> 
>> dig a.b.qnamemin-test.internet.nl TXT
> 
> I really appreciate it when people don't just do the study, but let others
> know how to confirm that their configuration looks "right" from the outside.
> 
> Thanks to the authors!
> 
> /Niall
> 
> 

Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id 7E4034BE

Previous message (by thread): [dns-wg] New on RIPE Labs: Making the DNS More Private with QNAME Minimisation
Next message (by thread): [dns-wg] New on RIPE Labs: Making the DNS More Private with QNAME Minimisation

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]