[dns-operations] Questions on DNS Flag day 2020 proposal

Mark Andrews marka at isc.org
Mon Jun 24 06:10:51 UTC 2019

No one is requiring DNSSEC or EDNS.

They are requiring that DNS (STD 13) is done correctly.
If EDNS is being done that it is being done correctly.
If DNSSEC is being done that it is being done correctly.

Doing DNS correctly means answering all well formed DNS queries.
EDNS depend on correct DNS behaviour (returning FORMERR for queries
that you do not understand) to interoperate with DNS only servers.

If the server supports EDNS then it should ignore unknown EDNS options if
it supports RFC 6891 (or return FORMERR if it only supports RFC 2671 as
inherited from STD 13).  It should also perform EDNS version negotiation as
that is required by RFC 2671 and RFC 6891.  It should also ignore unknown
EDNS flags as that is required by RFC 2671 and RFC 6891.  Echoing back of
unknown options or flags is not permitted by RFC 6891, RFC 2671 or STD 13.

If the server supports DNSSEC then it MUST support EDNS fully in addition
to the DNSSEC requirements.

The last DNS flag day was all about getting operators to properly support
STD 13 and properly support RFC 6891 if they supported EDNS.

No where in STD 13 does it say, drop queries that you don’t understand.  It
does say return FORMERR if you don’t understand a query.  Operators that drop
queries are *not* following STD 13.

Deploying new features requires that the exception handling in the deployed code
works as specified.

TCP has never been optional.


> On 24 Jun 2019, at 12:44 pm, <ljsong at biigroup.cn> <ljsong at biigroup.cn> wrote:
>> c) I've personally invited major "broken" operators to talks about the
>> next flag days, and they promised in e-mail to participate in IETF dnsop
>> WG and DNS OARC conference ... and then they did not show up without a
>> single word of notice.
>> Personally I feel we have done as much as we could to attract attention
>> and do not know what else to do. If you have specific constructive
>> suggestions let's hear them.
> There are many reasons Asia's operators and vendors (not only China) seems 
> offline and invisible from public discussion on ORAC/DNSOP mailing lists. 
> As you may know, partially due to different culture background, they are "shy" 
> to speak publicly and argue with others with different opinions. English not 
> as their first and working language also contribute on this. If they have any 
> appeal of operational or protocol issues, they usually end up with frustration 
> because there is no authority to resolve their concerns. It is how Internet works and 
> we should get use to that. But as result they usually give up communication and do 
> whatever to fit them, NO DNSSEC, NO TCP, NO EDNS0,... It is also wired that there 
> many Chinese engineers active in networking area in IETF but only a few in DNSOP. 
> (Maybe DNS is not a big business?).
> As to suggestions, AFAIK, the DNS circle in China is small and they have discussions 
> internally. I suggest keep a short list of contact people from major ISPs' DNS, 
> public/cloud DNS, CDN and vendors. We outreach them by periodically brief and invite them 
> to participate and comment on some activities. We need more advocate and communications. 
> ICANN engagement center held meeting several times in China in the past. I was invited once to 
> Introduce DNSSEC and brief the status of ICANN's KSK rollover to Chinese community. It is a good 
> platform. However, it is not regularly hosted and without online discussion afterwards. And most of 
> participants are from ICANN circle, policy and domain business but not DNS technical community. 
> So I'm thinking of setting up a Wechat group for DNS people in China and inviting most related people. 
> So that we can exchange information and response swiftly just as I open this thread of discussion. 
> Davey 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list