On 2022/09/13 09:20, Cyril - ImprovMX via mailop wrote: > Nice! Good catch about the dns-0x20 implementation! I must have copy/pasted > some properties > without looking much into it.
That is unlikely to be causing an actual problem here though. > > 2. The other issue is even weirder. SA is trying to validate the > domains by > > trimming the left part up to the gTLDs : > > > > > > - some.domain.com._custom_id.df.uribl.com > > - domain.com._custom_id.df.uribl.com > > - com._custom_id.df.uribl.com <-- wtf? > > > > Somehow, something is trying to check up to the top TLD, where it's > > useless. Again, I can't understand why SA would do that. > > This is probably unbound doing what it does, recursive resolving (from > TLD all the way down). > > Is there a way to avoid unbound to fetch the root tld ? (just "com") ? That's qname-minimisation, which these days is enabled by default in at least unbound and BIND. It improves privacy by avoiding sending the full query name to parent DNS servers. In your example, without qname-minimisation you'll occasionally see queries including "_custom_id" sent to one of the .com nameservers i.e. *.gtld-servers.net. With qname-minimisation those queries which include "_custom_id" will only get sent to uribl.com's nameservers. See more in https://www.isc.org/blogs/qname-minimization-and-privacy/, RFC 7816, and others. One would have thought that operators of a DNS-based service would have known about these already though... _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
