Re: [dns-privacy] [ I-D Action: draft-bortzmeyer-dns-qname-minimisation-00.txt]

Stephane Bortzmeyer <> Thu, 20 March 2014 15:28 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7FE9E1A0759 for <>; Thu, 20 Mar 2014 08:28:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rmHJozAC-xVR for <>; Thu, 20 Mar 2014 08:28:16 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2A8BD1A0750 for <>; Thu, 20 Mar 2014 08:28:16 -0700 (PDT)
Received: by (Postfix, from userid 10) id 3B67F3B8A0; Thu, 20 Mar 2014 16:28:06 +0100 (CET)
Received: by (Postfix, from userid 1000) id B98DFCA2FC; Thu, 20 Mar 2014 16:27:38 +0100 (CET)
Date: Thu, 20 Mar 2014 16:27:38 +0100
From: Stephane Bortzmeyer <>
To: Tony Finch <>
Message-ID: <>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
X-Transport: UUCP rules
X-Operating-System: Debian GNU/Linux 7.3
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dns-privacy] [ I-D Action: draft-bortzmeyer-dns-qname-minimisation-00.txt]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Mar 2014 15:28:18 -0000

On Thu, Mar 20, 2014 at 03:06:48PM +0000,
 Tony Finch <> wrote 
 a message of 110 lines which said:

>                  172800  IN      NS

OK, I get it, sorry. Paragraph deleted from my local copy of the

> > Following the general principle of DNS RFCs, I do not think it would
> > be wise to specify an algorithm for resolution with qname
> > minimisation, since there is none for traditional resolution.
> RFC 1034 section 4.3.2.

OK, but it won't help since it is for authoritative name
servers. Resolvers are at section 5.3.3 and the algorithm is so
sketchy that it does not even mention the content of the query sent to
authoritative name servers.

Also, qname minimisation is _not_ a change in the protocol, it's more
an unilateral best practice ("privacy optimization"), and therefore
does not need to be specified by an algorithm. If several resolvers
implement it slightly differently, it is not a problem.

> No, I mean, if I go to in my browser, I will make A and
> AAAA queries for, but if I send mail to a Google employee I
> will make MX queries for
> So if you skip the NS query for (because it is the whole of the
> QNAME in this case) you will leak the A vs MX difference to the .com
> servers.

Said otherwise, if you skip the NS query step, and send "A"
to the .com name servers, Verisign's name servers will send you back a
referral and then you'll learn the zone cut (this is what every
resolver already does today). So, there will be a leak only for the
first request (a simple heuristic to avoid this would be to always
send the NS query for the first two labels).

Anyway, I have no problem with saying that you should always send the
NS query to be sure, and too bad for the broken name servers like
those of I even think Mark Andrews will agree with me
here :-)