[dns-operations] edns-client-subnet capable authorities?

Mark Andrews marka at isc.org
Thu Jul 20 00:00:06 UTC 2017

In making a decision about whether to probe or white list you may want
to look at https://ednscomp.isc.org/compliance/summary.html which has
graphs of the failure modes for unknown EDNS options.

Timeout and echos are both bad for ECS.  Echos increase the cache
size for no benefit.

FORMERR and BADVERS can both be worked about by resending without
the option.

Named resends without EDNS for FORMERR, BADVERS and timeout which
can cause DNSSEC validation to not work.  We DO NOT intend to make
DNSSEC work with such broken servers and would encourage other
recursive server vendors to take a similar stance.

I haven't see a firewall that selectively blocks on ECS yet.


In message <28181C82-D99A-481F-95D9-70645C4E57A4 at cisco.com>, "Brian Hartvigsen (bhartvig)" writes:
> Actually Google does it by probing for support.  OpenDNS (of which I am
> affiliated with) does still use a whiltelist.
> We do not publish our whitelist and Im not aware of a public one.
> -- Brian
> From: dns-operations <dns-operations-bounces at dns-oarc.net> on behalf of
> William Pressly <william.pressly at verizondigitalmedia.com>
> Date: Wednesday, July 19, 2017 at 12:49 PM
> To: "Paul S. R. Chisholm" <psrc at google.com>,
> "google-public-dns at google.com" <google-public-dns at google.com>,
> Christopher LaVallee <Christopher.Lavallee at verizondigitalmedia.com>,
> Jesse Blazina <Jesse.Blazina at verizondigitalmedia.com>,
> "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>
> Subject: dns-operations edns-client-subnet capable authorities?
> Hi Google Folks, (Copying OARC ops list in case anyone knows anything
> there)
> We at VDMS (formerly EdgeCast) are interested in using edns-client-subnet
> in our recursive infrastructure. I believe the way most recursive
> providers support edns-client-subnet is by whitelisting a set of
> authorities or zones that accept the option.
> Does google publish their whitelist anywhere? Is there anyway to find
> such a list? Is this even a thing?
> Thanks,
> WBSP (Will Pressly)

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list