QNAME Minimization Implementation Inquiry

[Jonathan Magnusson]

Hi,

I am conducting some research measurements on QNAME Minimization
implementations of popular open-source resolvers in light of RFC 9156, having
replaced RFC 7816.  While running some tests I noticed that Bind in the past
has been using the NS RR and minimized queries to the sixth label before
sending the FQDN. Today this implementation has been replaced and Bind is using
the A RR and minimize to the seventh label.  Observing incoming queries at a
SLD authoritative name server, we see that Bind starts its minimization process
by sending a query with four labels instead of the expected three. I am very
curious about this oddity. What causes this? Is it by design?

Appreciate any insight into Bind's QNAME Minimization implementation!

Best regards


Jonathan Magnusson

PhD Student - Computer Science

Karlstad University, Sweden

När du skickar e-post till Karlstads universitet behandlar vi dina 
personuppgifter.
When you send an e-mail to Karlstad University, we will process your personal 
data.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSec mess with SHA1

[Petr Špaček]

On 14. 12. 23 8:58, Wolfgang Riedel via bind-users wrote:

Hi Folks,

I just wonder what's your take is on the current DNSSec mess with SHA1?

There are still a lot of top level domains being signed with SHA1 and 
look like nobody really cares?
Current OS releases like RHEL9 and others simply removed SHA1 from the 
code so if you're running BIND with "dnssec-validation auto" all those 
domains fails to resolve and the only way is to "dnssec-validation no" 
which eliminated the whole idea of DNSSec!


The worst is that even nist.gov fails WFT!
https://dnsviz.net/d/nist.gov/dnssec/

Any advice or ideas?


Given the lack of details it's hard to say. Widespread DNSSEC validation 
failures on RHEL 9 are not shared experience.


Please provide:
- **exact** version numbers
- how you got the packages
- which version of OpenSSL is in use, and how it's configured
- Is FIPS mode is in play or not?
... and then we can get to diagnosing your issue.

--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users