Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] per-domain exclusion of qname minimization; like Knot #1239

Open
pgnd opened this issue Feb 11, 2025 · 1 comment
Open

[FR] per-domain exclusion of qname minimization; like Knot #1239

pgnd opened this issue Feb 11, 2025 · 1 comment

Comments

@pgnd
Copy link

pgnd commented Feb 11, 2025

i run local Unbound resolver for all mail server instances; as is the recommended best-practice for, in my case, Postfix + Unbound on linux.

qname minimization usage is strongly recommended by the main resolver vendors.

otoh, use of Spamhaus (SH) for DNSBL queries recommends DISABLING qname minimization.

e.g., these articles

KB Article: Spamhaus broken with QNAME minimization
 https://gitlab.isc.org/isc-projects/bind9/-/issues/4337

QNAME Minimization and Spamhaus
 https://kb.isc.org/docs/qname-minimization-and-spamhaus

QNAME Minimization and Spamhaus DNSBLs
 https://www.spamhaus.org/resource-hub/dnsbl/qname-minimization-and-spamhaus-dnsbls/

Configuring a DNS resolver for enhanced performance
 https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/Dns/000-intro.html

conflict in that recommended (non-)usage of qname min ...

ISC says SH is broken and wrong in its recommendation, and that
SH says it's working with the community, but there's no current information available.

SH support responds to inquiry saying there's work on the issue, but no ETA yet.

they recommend in the interim to configure a dedicated resolver specifically for MX spam scanning instance, and turn off Qname minimization.
with the caveat that'd disable qname for all queries on the resolver by the MX -- not just to the SH domains.

as a preferred alternative, they suggest using a resolver where it's possible to turn off Qname minimization for specific domains only.

at the moment, that's reported as just Knot

https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/Dns/010-Knot.html

whereas for Unbound

https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/Dns/040-Unbound.html

it's all-or-nothing.

this is a Feature Request to add similar capability to Unbound -- specifically to add per-domain exclusion for qname minimisation.
@pgnd
Copy link
Author

pgnd commented Feb 19, 2025

reading @wcawijngaards commit re: conditional qname-minimisation at

e361f6b

leads me to

https://github.com/NLnetLabs/unbound/blob/master/iterator/iterator.c#L175

which looks like the right place to add exclusion?

@pgnd pgnd changed the title [FR] per-domain exclusion of qname minimization [FR] per-domain exclusion of qname minimization; like Knot Feb 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pgnd