[dns-operations] Stop marking TLD's NS server as EDNS-incapable
Ralf Weber
dns at fl1ger.de
Mon Mar 6 07:46:02 UTC 2017
Moin!
On 6 Mar 2017, at 3:40, Davey Song wrote:
> I concluded it here that the EDNS fallback is proposed for good. But
> it may
> introduce false positives due to temporary network failure or
> malicious
> manipulations. Once the name server of certain TLD like .com and .net
> are
> marked EDNS-incapable , it will become a disaster for validating
> resolvers.
That highly depends on the resolver implementation, however IMHO in your
example it is shown that DNSSEC works as intended and detects spoofing
of
DNS records. Resolvers following
https://tools.ietf.org/html/draft-fujiwara-dnsop-resolver-update-00
or
https://tools.ietf.org/html/rfc7816
might produce quite different results, though they also will detect the
DNS spoofing if they validate.
> One intuitive idea is to stop mark TLD’s NS server as
> EDNS-incapable, given
> the fact that 7040 of 7060 (99.72%) of name servers support EDNS. Or
> we can
> turn off the fallback function when it comes to DS record (the query
> back to
> their parents).
So you are pushing the issue one level down. What when we see similar
behaviour
in three label TLDs at the second label (co.uk)? Do you also want to
mark them
special? This is just the wrong approach, as we should not make protocol
variations depending on where we are at the DNS tree.
So long
-Ralf
More information about the dns-operations
mailing list