Hi, Please find my review, as member of the INT Area Directorate, of the following document: DNS Query Name Minimisation to Improve Privacy draft-ietf-dnsop-rfc7816bis-10 1. Introduction and Background The problem statement for this document is described in [RFC7626]. s/[RFC7626]/[RFC9076] 1.1. Experience From RFC 7816 This document obsoletes [RFC7816]. RFC 7816 was labelled "experimental", but ideas from it were widely deployed since its publication. Many resolver implementations now support QNAME minimisation. The lessons learned from implementing QNAME minimisation were used to create this new revision. Maybe, another argument to move to “Standards Track”: For the moment, Root Server Operators do not feel comfortable with authoritative DNS encryption. They encourage the increased deployment of QNAME minimisation [REF_informative]. [REF_informative] https://root-servers.org/media/news/Statement_on_DNS_Encryption.pdf 5. Performance Considerations QNAME minimisation can increase the number of queries based on the incoming QNAME. This is described in Section 2.3. As described in [devries-qnamemin], QNAME minimisation in strict mode both increases the number of DNS lookups by up to 26% and leads to up to 5% more failed lookups. The full cache in a production resolver will soften that overhead. I didn’t find any definition/explanation about “strict mode” of QNAME minimization inside this document. There is no definition/explanation about strict (and relaxed) mode(s) inside [devries-qnamemin] too. So, I don’t understand how is useful this paragraph for the document. May you clarify this point, please? 6. Security Considerations QNAME minimisation's benefits are clear in the case where you want to decrease exposure to the authoritative name server. But minimising the amount of data sent also, in part, addresses the case of a wire sniffer as well as the case of privacy invasion by the servers. (Encryption is of course a better defense against wire sniffers, but, unlike QNAME minimisation, it changes the protocol and cannot be deployed unilaterally. Also, the effect of QNAME minimisation on wire sniffers depends on whether the sniffer is on the DNS path.) Maybe, my comment about Root Servers Operators (cf. Section 1.1) may be used to illustrate the difficulty to deploy encryption everywhere. Thanks in advance for your replies. Best regards, JMC.