[dns-operations] EDNS Client Subnet (ECS) in queries sent to Google Public DNS
Florian Weimer
fw at deneb.enyo.de
Sun Jan 19 08:59:13 UTC 2020
* Alexander Dupuy via dns-operations:
> If any reader of this list is sending DNS requests with the EDNS Client
> Subnet (ECS) option to 8.8.8.8, please read this post on our announcement
> list <https://groups.google.com/g/public-dns-announce/c/h4XLjnWvAp8> that
> discusses changes Google is planning in how we handle requests with ECS. It
> is also relevant for developers of software that sends ECS to recursive
> resolvers.
| we plan to start sending REFUSED responses
| […]
| in encrypted DNS over HTTPS […]
| for domain names where we are forbidden to forward client-provided ECS
<https://groups.google.com/forum/#!topic/public-dns-announce/h4XLjnWvAp8>
How would a DoH client know that the recursive resolver is “forbidden
to forward” ECS data?
Do clients have to retry without ECS if they get a REFUSED response
now? That looks like bad protocol design. If you need to signal an
error in this case (instead of dropping the ECS data while
forwarding), it has to be a separate error indicator. REFUSED does
not really work if retry without ECS is needed.
More information about the dns-operations
mailing list