Thanks so much for chasing that down with the upstream. You're a hero
I think its unlikely that we'll enable qname minimization in prod for a while yet. Akamai has fixed their qname minimization problem (yay) but I think overall this feature is liable to shake out more broken resolvers than we're able to triage right now and we'll play conservatively.
Unbound’s QNAME minimisation almost always works – when it doesn’t have bugs, at least. Unless you also set “qname-minimisation-strict: yes”, it ignores ENT NXDOMAINs, and Akamai and other authoritative servers with the same issue work fine.
The only things that trip it up are incorrect delegations and, I think, timeouts.
And Boulder’s CAA queries already expose Let’s Encrypt to those issues to a lesser degree.
I’m talking out my butt, but I don’t think there would be a large number of problems, unless you use strict mode.
Pro-QNAME minimisation hype over with, I don’t think there’s much reason to turn minimisation on: Any failures are more than zero failures, CT renders DNS privacy mostly moot, and Let’s Encrypt’s high traffic and minimal caching make the extra queries more expensive than in typical resolver deployments.
Edit: Unbound doesn’t ignore a secure NXDOMAIN (possibly depending on the configuration) but secure zones with issues are probably in trouble anyway.
