Re: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users

["Brian J. Murrell" <brian () interlinx bc ca>]

On Wed, 2019-09-18 at 09:15 +0200, Jeroen Massar wrote:
> Hi Folks,

Hi.

> While in the US soon all Firefox users will *NOT* use your DNS
> Recursives configured using DHCP anymore
> (NXDOMAIN use-application-dns.net to avoid that[1]).

What am I misunderstanding?  Isn't use-application-dns.net supposed to
return A results until "defeated"?  I have not configured my own DNS
server to NXDOMAIN that yet, however:

$ dig use-application-dns.net a

; <<>> DiG 9.11.10-RedHat-9.11.10-1.fc30 <<>> use-application-dns.net a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33589
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;use-application-dns.net.       IN      A

;; Query time: 1181 msec
;; SERVER: fd31:aeb1:48df::2#53(fd31:aeb1:48df::2)
;; WHEN: Wed Sep 18 06:22:19 EDT 2019
;; MSG SIZE  rcvd: 52

And even Google's global DNS:

$ dig @8.8.8.8 use-application-dns.net a

; <<>> DiG 9.11.10-RedHat-9.11.10-1.fc30 <<>> @8.8.8.8 use-application-
dns.net a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33725
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;use-application-dns.net.       IN      A

;; Query time: 1454 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Sep 18 06:22:42 EDT 2019
;; MSG SIZE  rcvd: 52

Cheers,
b.

Attachment: signature.asc
Description: This is a digitally signed message part