Get green in Project dnsprivacy-monitoring

[ryru]

Our secure DNS resolvers are automatically tested to various DNS related tests by the dnsprivacy-monitoring project. Some tests although fail. More research and even configuration changes are required for:

1. TLS 443: "Does the server answer DNS queries over TLS on port 443 with no SNI sent?"
2. Strict Name 443: "Does the server pass Strict authentication using the authentication domain name only on 443 (some operators require an SNI on 443 to defend against attacks)?"
3. Keepalive => The edns-tcp-keepalive EDNS0 Option RFC7828
4. Padding => The EDNS(0) Padding Option [7830](https://datatracker.ietf.org/doc/rfc7830
5. OOOR: "Does the server give Out Of Order Responses (Experimental, may give false negatives)?"

[ryru]

Current state:

1. No, currently not. Why would that be desirable?
2. No, currently not. Why would that be desirable?
3. In my understanding this makes sense, if client and DNS resolver have a direct TCP connection. In our case nginx serves as reverse proxy. nginx does not understand keepalive within DNS messages so from my point of view, this config (edns-tcp-keepalive) seems useless.
4. This would result in more bandwidth consumption. Further one could also configure padding for TLS. What would be the benefits of either configuration?
5. ✔