[dns-operations] EDNS Client Subnet (ECS) in queries sent to Google Public DNS

[Dave Lawrence]

Florian Weimer writes:
> How would a DoH client know that the recursive resolver is “forbidden
> to forward” ECS data?

It doesn't know clearly.  All it knows is that if it gets REFUSED when
it sends a prefix outside its own address space, then something was
wrong.  If that then succeeds it can only be inferred that the
specified network was the problem.

On a meta level, it is the case that there are contractual
relationships that forbid the forwarding in general and independent of
DoH, such as the long standing agreement between Google to Akamai.

> Do clients have to retry without ECS if they get a REFUSED response
> now?  That looks like bad protocol design.

Yes and yes.  It is one of my major complaints about the original ECS
specification as it was independently pushed into the wild after the
original IETF blowback basically put it off the path of getting a
thorough review.  Not overloading REFUSED surely would have been an
early revision.