On 2018-11-01 21:53, Rainer Duffner wrote:
Am 01.11.2018 um 21:26 schrieb Jeroen Massar <[email protected]>:
TLDR:
On a related note:
Does anyone run a resolver with QNAME-minimization enabled?
Any problems, common or specific to certain domains?
At least everybody running unbound is (as it is the default) and unbound
is very often deployed in high-speed recursor situations.
Do note that unbound has a not-default-on strict mode. That means in
non-strict mode (default) it will retry when failures happen. (As such,
a MITM/bad-authoritive could introduce a failure to learn more)
The config option reads and explains reasonably well:
------
qname-minimisation-strict: <yes or no>
QNAME minimisation in strict mode. Do not fall-back to
sending
full QNAME to potentially broken nameservers. A lot of
domains
will not be resolvable when this option in enabled. Only
use if
you know what you are doing. This option only has effect
when
qname-minimisation is enabled. Default is off.
----
Exact details are in the archives of the unbound mailing list...
Greets,
Jeroen
_______________________________________________
swinog mailing list
[email protected]
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
