[dns-operations] edns-client-subnet capable authorities?
Mark Andrews
marka at isc.org
Thu Jul 20 23:32:32 UTC 2017
In message <22896.39221.375448.814536 at tale.kendall.corp.akamai.com>, David C Lawrence wri
tes:
> Mark Andrews writes:
> > In making a decision about whether to probe or white list you may want
> > to look at https://ednscomp.isc.org/compliance/summary.html which has
> > graphs of the failure modes for unknown EDNS options.
>
> Good point, Mark. I will point out that our own recursive team didn't
> want to have to deal with whitelists either (which is perfectly
> rational) and just thought they'd use it everywhere.
>
> Personally I didn't think this was great philosophically, but
> independent of my feelings on the matter it turned out to be terrible
> in real world operational terms.
>
> At least a couple of the Alexa Top 1000 domains would just black-hole
> queries that had ECS. No reply, timeout. Of course a resolver would
> have a hard time automatically interpreting the cause of the timeout
> and would have to do extra work to id the problem as likely because of
> the presence of the option.
For this you can mostly blame firewall vendors with stupid default
firewall rules. We will "protect" you from EDNS options by performing
a denial-of-service attack on your customers.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list