nanog mailing list archives
Re: swedish dns zone enumerator
From: Stephane Bortzmeyer <bortzmeyer () nic fr>
Date: Thu, 2 Nov 2023 10:25:22 +0100
On Thu, Nov 02, 2023 at 04:09:24PM +1100, Mark Andrews <marka () isc org> wrote a message of 90 lines which said:
I also see QNAME minimisation in action as the QTYPE is NS. This could just be a open recursive servers using QNAME minimisation. With QNAME minimisation working correctly all parent zones should see is NS queries with the occasional DNSKEY and DS query. Both BIND and Knot use NS queries for QNAME minimisation.
I disagree. NS queries were used in the first RFC about QNAME minimisation (which was experimental) but the current one (which is on the standards track) now recommends A or AAAA queries <https://www.rfc-editor.org/info/rfc9156>, specially section 2.1.
Other query types and/or prefixes do not work as they have undesirable side effects.
Rather the contrary, some broken firewalls in front of authoritative name servers were crashing when using NS queries. Hence the choice of address queries. (Also, it improves privacy since it makes more difficult to see you are doing QNAME minimisation.)
I would not like anyone to take seeing mostly NS queries as any evidence of bad practice.
We agree here.
Current thread:
- Re: swedish dns zone enumerator Amir Herzberg (Nov 01)
- <Possible follow-ups>
- Re: swedish dns zone enumerator Mark Andrews (Nov 01)
- Re: swedish dns zone enumerator Randy Bush (Nov 01)
- Re: swedish dns zone enumerator Mark Andrews (Nov 02)
- Re: swedish dns zone enumerator Saku Ytti (Nov 02)
- Re: swedish dns zone enumerator Randy Bush (Nov 02)
- Re: swedish dns zone enumerator Randy Bush (Nov 01)
- Re: swedish dns zone enumerator John McCormac (Nov 02)
- Re: swedish dns zone enumerator Stephane Bortzmeyer (Nov 02)
- Re: swedish dns zone enumerator Mark Andrews (Nov 02)