unbound icon indicating copy to clipboard operation
unbound copied to clipboard
verified publisher icon NLnetLabs

[FR] per-domain exclusion of qname minimization; like Knot

Open pgnd opened this issue 10 months ago • 1 comments

i run local Unbound resolver for all mail server instances; as is the recommended best-practice for, in my case, Postfix + Unbound on linux.

qname minimization usage is strongly recommended by the main resolver vendors.

otoh, use of Spamhaus (SH) for DNSBL queries recommends DISABLING qname minimization.

e.g., these articles

KB Article: Spamhaus broken with QNAME minimization
 https://gitlab.isc.org/isc-projects/bind9/-/issues/4337

QNAME Minimization and Spamhaus
 https://kb.isc.org/docs/qname-minimization-and-spamhaus

QNAME Minimization and Spamhaus DNSBLs
 https://www.spamhaus.org/resource-hub/dnsbl/qname-minimization-and-spamhaus-dnsbls/

Configuring a DNS resolver for enhanced performance
 https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/Dns/000-intro.html

conflict in that recommended (non-)usage of qname min ...

ISC says SH is broken and wrong in its recommendation, and that SH says it's working with the community, but there's no current information available.

SH support responds to inquiry saying there's work on the issue, but no ETA yet.

they recommend in the interim to configure a dedicated resolver specifically for MX spam scanning instance, and turn off Qname minimization. with the caveat that'd disable qname for all queries on the resolver by the MX -- not just to the SH domains.

as a preferred alternative, they suggest using a resolver where it's possible to turn off Qname minimization for specific domains only.

at the moment, that's reported as just Knot

https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/Dns/010-Knot.html

whereas for Unbound

https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/Dns/040-Unbound.html

it's all-or-nothing.

this is a Feature Request to add similar capability to Unbound -- specifically to add per-domain exclusion for qname minimisation.

pgnd avatar Feb 11 '25 18:02 pgnd

reading @wcawijngaards commit re: conditional qname-minimisation at

https://github.com/NLnetLabs/unbound/commit/e361f6b284e5ef5004320b380cfeace1721dbff1

leads me to

https://github.com/NLnetLabs/unbound/blob/master/iterator/iterator.c#L175

which looks like the right place to add exclusion?

pgnd avatar Feb 19 '25 19:02 pgnd

stale

pgnd avatar Oct 15 '25 19:10 pgnd