Re: [dns-privacy] [ I-D Action: draft-bortzmeyer-dns-qname-minimisation-00.txt]

Tony Finch <> Thu, 20 March 2014 11:04 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 06FFD1A08BC for <>; Thu, 20 Mar 2014 04:04:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IHnmC98_yQU2 for <>; Thu, 20 Mar 2014 04:04:23 -0700 (PDT)
Received: from ( [IPv6:2001:630:212:8::e:f51]) by (Postfix) with ESMTP id 35A281A06CB for <>; Thu, 20 Mar 2014 04:04:23 -0700 (PDT)
X-Cam-AntiVirus: no malware found
Received: from ([]:60036) by ( []:25) with esmtpa (EXTERNAL:fanf2) id 1WQalh-0004nR-Z5 (Exim 4.82_3-c0e5623) (return-path <>); Thu, 20 Mar 2014 11:04:13 +0000
Received: from fanf2 by ( with local id 1WQalh-0000kD-Qu (Exim 4.72) (return-path <>); Thu, 20 Mar 2014 11:04:13 +0000
Date: Thu, 20 Mar 2014 11:04:13 +0000
From: Tony Finch <>
To: Stephane Bortzmeyer <>
In-Reply-To: <>
Message-ID: <>
References: <>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <>
Subject: Re: [dns-privacy] [ I-D Action: draft-bortzmeyer-dns-qname-minimisation-00.txt]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Mar 2014 11:04:26 -0000

Stephane Bortzmeyer <> wrote:

> Per popular request, qname minimisation, one of the techniques that
> may be used to improve DNS privacy, now has its own Internet-Draft.

Ace :-)

You say "[RFC2181] suggests an algorithm to find the zone cut" but
although it describes what a zone cut looks like I can't see any clear
description of an algorithm for finding them. There are evidently
subtleties in this algorithm; for example, do you abort early if you get
an NXDOMAIN response, or do you treat that as NOERROR/NODATA? Is there
enough buggy handling of empty non-terminals that you have to do the
latter? And if so what are the privacy implications?


   Another note is that the answer to the NS query, unlike the referral
   sent when the question is a full qname, is in the Answer section, not
   in the Authoritative section.

This is incorrect. RFC 2181 again:

                  The NS records that indicate a zone cut are the
   property of the child zone created, as are any other records for the
   origin of that child zone, or any sub-domains of it.  A server for a
   zone should not return authoritative answers for queries related to
   names in another zone, which includes the NS, and perhaps A, records
   at a zone cut, unless it also happens to be a server for the other

Later on,

                                    However, qname minimisation may
   still work with such domains since they are only leaf domains (no
   need to send them NS requests).

This goes back to subtleties in the algorithm :-)

You will send NS queries for to the servers of so you
should never trigger the brokenness in the load balancer.

This brings up a question about zone cuts at the leaf like this one:
should your query sequence look like

  fr          IN NS ?     IN NS ? IN NS ? IN A ? IN AAAA ?

Or should you skip the third query?

Skipping the third query would improve latency in most cases (when there
isn't a zone cut at the leaf), but it leads to leakage. For example,
consider a domain like do you want the .com name servers to
know if you are sending mail to Google, rather than just looking at their
web site?

f.anthony.n.finch  <>
Viking, North Utsire, South Utsire: Southerly or southwesterly 6 to gale 8,
occasionally severe gale 9 at first in Viking. Rough or very rough. Occasional
rain. Moderate or good, occasionally poor.