[dns-operations] edns-client-subnet capable authorities?

Mark Andrews marka at isc.org
Thu Jul 20 23:32:32 UTC 2017


In message <22896.39221.375448.814536 at tale.kendall.corp.akamai.com>, David C Lawrence wri
tes:
> Mark Andrews writes:
> > In making a decision about whether to probe or white list you may want
> > to look at https://ednscomp.isc.org/compliance/summary.html which has
> > graphs of the failure modes for unknown EDNS options.
> 
> Good point, Mark.  I will point out that our own recursive team didn't
> want to have to deal with whitelists either (which is perfectly
> rational) and just thought they'd use it everywhere.
> 
> Personally I didn't think this was great philosophically, but
> independent of my feelings on the matter it turned out to be terrible
> in real world operational terms.
> 
> At least a couple of the Alexa Top 1000 domains would just black-hole
> queries that had ECS.  No reply, timeout.  Of course a resolver would
> have a hard time automatically interpreting the cause of the timeout
> and would have to do extra work to id the problem as likely because of
> the presence of the option.

For this you can mostly blame firewall vendors with stupid default
firewall rules.  We will "protect" you from EDNS options by performing
a denial-of-service attack on your customers.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list