[dns-operations] edns-client-subnet capable authorities?
Mark Andrews
marka at isc.org
Thu Jul 20 00:00:06 UTC 2017
In making a decision about whether to probe or white list you may want
to look at https://ednscomp.isc.org/compliance/summary.html which has
graphs of the failure modes for unknown EDNS options.
Timeout and echos are both bad for ECS. Echos increase the cache
size for no benefit.
FORMERR and BADVERS can both be worked about by resending without
the option.
Named resends without EDNS for FORMERR, BADVERS and timeout which
can cause DNSSEC validation to not work. We DO NOT intend to make
DNSSEC work with such broken servers and would encourage other
recursive server vendors to take a similar stance.
I haven't see a firewall that selectively blocks on ECS yet.
Mark
In message <28181C82-D99A-481F-95D9-70645C4E57A4 at cisco.com>, "Brian Hartvigsen (bhartvig)" writes:
>
> Actually Google does it by probing for support. OpenDNS (of which I am
> affiliated with) does still use a whiltelist.
>
> We do not publish our whitelist and Im not aware of a public one.
>
> -- Brian
>
> From: dns-operations <dns-operations-bounces at dns-oarc.net> on behalf of
> William Pressly <william.pressly at verizondigitalmedia.com>
> Date: Wednesday, July 19, 2017 at 12:49 PM
> To: "Paul S. R. Chisholm" <psrc at google.com>,
> "google-public-dns at google.com" <google-public-dns at google.com>,
> Christopher LaVallee <Christopher.Lavallee at verizondigitalmedia.com>,
> Jesse Blazina <Jesse.Blazina at verizondigitalmedia.com>,
> "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>
> Subject: dns-operations edns-client-subnet capable authorities?
>
> Hi Google Folks, (Copying OARC ops list in case anyone knows anything
> there)
>
> We at VDMS (formerly EdgeCast) are interested in using edns-client-subnet
> in our recursive infrastructure. I believe the way most recursive
> providers support edns-client-subnet is by whitelisting a set of
> authorities or zones that accept the option.
>
> Does google publish their whitelist anywhere? Is there anyway to find
> such a list? Is this even a thing?
>
> Thanks,
> WBSP (Will Pressly)
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list