Hi Duane, >> risk of implementation fingerprinting due to the distinctive QTYPE.
> I think you mean QNAME here? No, this is about QTYPE. If your software is the only codebase that uses the QTYPE "MAILB" for DNS probes, then that's a very distinctive fingerprint. Distinctive QNAMEs are also highly fingerprintable, as mentioned in Section 1, but that is orthogonal to the QTYPE. >> 4) Are developers of caching domain name servers expected to make >> their implementations recognize these names as special and treat them >> differently? If so, how? >> >> No. This name is subject to ordinary caching logic. > This was unexpected, given that RFC 9462’s answer to SUDN question 4 > was “yes” for the parent domain resolver.arpa. > (Reading section 8.2 of RFC 9462 I feel like there is some ambiguity > whether it is talking about resolver.arpa or _dns.resolver.arpa) Leaving aside the precise wording of the RFC 6761 questionnaire, the draft's current position is: * Full resolvers are suggested to have special handling for the resolver.arpa zone. * Full resolvers don't need any additional special handling specifically for "probe.resolver.arpa". * Caching stub resolvers don't need any special handling for "resolver.arpa" or "probe.resolver.arpa". We could ask caching stubs to special-case the probe name to make it uncacheable, but this sounds to me like "MUST but we know you won't". --Ben
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
