[dns-operations] Experiences with a post 2019 Flag Day Resolver

Shumon Huque shuque at gmail.com
Tue Sep 17 01:32:14 UTC 2019

On Mon, Sep 16, 2019 at 6:15 PM Mark Andrews <marka at isc.org> wrote:

> > On 17 Sep 2019, at 4:21 am, Shumon Huque <shuque at gmail.com> wrote:
> >

> > The proportion of these sites in comparison to the total population of
> zones that our resolvers talk to, is small, but not trivial. We have
> attempted to contact the zone owners in question as we discover them,
> pointing them to the various DNS compliance testing tools/sites. But this
> was getting to be burdensome enough that we ended up turning off outbound
> cookies ("send-cookie no;" in the global options).
> Do you have actual discover rates?
> Did they slow over time?
> Did you install server specific server clauses for those servers?
> Did you go back and re-test the servers after a while?
> Would you be willing to list the broken servers publicly?

Last time I checked with our resolver operator team, we had detected
roughly ~ 50 failing zones.

We've only had the new code deployed for a few weeks, and we turned off
cookies a few days after the initial failure reports, since people were
yelling at us -- so I don't think we were able to observe trends over time.
However, we do know that a small number of them were responsive to our
reports and managed to fix themselves (don't know the details of the fixes,
but I imagine code upgrades or firewall fixes etc). And we haven't gone
back to recheck the original list - but we should probably do that.

We didn't install server specific clauses to selectively disable cookies,
since the number of zones (multiplied by their server count) likely
exceeded the operational cycles the resolver team were willing to spend on
that effort.

I intentionally didn't publish the list of broken zones/servers in my
original note, since they are our customers, and I didn't want to give the
impression we were trying to publicly shame them. However, we might be
willing to share the list with you or  your ISC colleagues privately - let
me check with some colleagues and get back to you about that.

Shumon Huque
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190916/a9e24753/attachment.html>

More information about the dns-operations mailing list