[dns-operations] Stop marking TLD's NS server as EDNS-incapable

Ralf Weber dns at fl1ger.de
Mon Mar 6 07:46:02 UTC 2017


On 6 Mar 2017, at 3:40, Davey Song wrote:
> I concluded it here that the EDNS fallback is proposed for good. But 
> it may
> introduce false positives due to temporary network failure or 
> malicious
> manipulations. Once the name server of certain TLD like .com and .net 
> are
> marked EDNS-incapable , it will become a disaster for validating 
> resolvers.
That highly depends on the resolver implementation, however IMHO in your
example it is shown that DNSSEC works as intended and detects spoofing 
DNS records. Resolvers following
might produce quite different results, though they also will detect the
DNS spoofing if they validate.

> One intuitive idea is to stop mark TLD’s NS server as 
> EDNS-incapable, given
> the fact that 7040 of 7060 (99.72%) of name servers support EDNS. Or 
> we can
> turn off the fallback function when it comes to DS record (the query 
> back to
> their parents).
So you are pushing the issue one level down. What when we see similar 
in three label TLDs at the second label (co.uk)? Do you also want to 
mark them
special? This is just the wrong approach, as we should not make protocol
variations depending on where we are at the DNS tree.

So long

More information about the dns-operations mailing list