[dns-operations] Experiences with a post 2019 Flag Day Resolver

Shumon Huque shuque at gmail.com
Tue Sep 17 00:45:55 UTC 2019

On Mon, Sep 16, 2019 at 2:58 PM manu tman <chantr4 at gmail.com> wrote:

> On Mon, Sep 16, 2019 at 11:30 AM Shumon Huque <shuque at gmail.com> wrote:
>> Google Public DNS sends the EDNS Client Subnet option to authority
>> servers that we run, and presumably to those broken servers too. We cannot
>> observe the conversation between Google and the broken sites, but since
>> they resolve, we assume that they might at least have a workaround to retry
>> such sites without ECS (or maybe a dynamically maintained ECS blacklist is
>> in use). Perhaps, a Google Public DNS operator can confirm or disconfirm
>> this.
> Obviously not for Google Public DNS, but last I remember, they would probe
> the name servers to see if they support ECS, if they do then they will
> start sending ECS. Therefore I would assume those misbehaving name sergers
> are failing the probe test and hence Google Public DNS will not send ECS to
> them.

Ah, thanks Manu.

I did vaguely recall reading about this, but when I attempted to find a
reference earlier I failed. Now that I've typed the right set of search
engine keywords, I found the following document which describes Google's
ECS criteria:


Mark Andrews writes:
> ECS is also a white list option because of broken servers and the fact
> there are only relatively small numbers of servers that return ECS aware

Yup, that makes sense. I was wondering whether the Flag Day workaround
withdrawals had included ECS related changes. I guess, there is still
enough brokenness around this feature that probing and whitelisting is
still necessary. There is also the (partial) privacy benefit of selective
ECS issuance in outbound queries.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190916/566c64c1/attachment.html>

More information about the dns-operations mailing list