[dns-operations] Stop marking TLD's NS server as EDNS-incapable

Davey Song(宋林健) ljsong at biigroup.cn
Mon Mar 6 02:40:46 UTC 2017


Hi Folks, 

 

An DNSSEC issues due to EDNS fallback is reported. It is recorded here for
your information. AFAIK It is not the only case and complain EDNS fallback
have brought. 

 

http://yeti-dns.org/yeti/blog/2017/03/03/bind-edns-fallback-and-dnssec-issue
.html

 

I concluded it here that the EDNS fallback is proposed for good. But it may
introduce false positives due to temporary network failure or malicious
manipulations. Once the name server of certain TLD like .com and .net are
marked EDNS-incapable , it will become a disaster for validating resolvers.

 

One intuitive idea is to stop mark TLD’s NS server as EDNS-incapable, given
the fact that 7040 of 7060 (99.72%) of name servers support EDNS. Or we can
turn off the fallback function when it comes to DS record (the query back to
their parents).

 

Best regards,

Davey

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170306/cb13325a/attachment.html>


More information about the dns-operations mailing list