[dns-operations] RFC 6975 (was: Re: Algorithm 5 and 7 trends (please move to 8 or 13))

Petr Špaček petr.spacek at nic.cz
Wed Jun 10 09:40:41 UTC 2020 


On 09. 06. 20 7:16, Brian Somers wrote:
> We turned this up again on Friday and turned it down yet again today.  There
> are issues with sacks.com and I’m told there are a bunch of other support
> tickets (although details haven’t been given yet).
> 
>     $ dig +noall +answer +tries=1 +ednsopt=5:08 zacks.com @208.65.116.45                                  
>     ;; connection timed out; no servers could be reached
>     $ dig +noall +answer +tries=1 +subnet=1.2.3.0/24 zacks.com @208.65.116.45
>     ;; connection timed out; no servers could be reached
>     $ dig +noall +answer +tries=1 zacks.com @208.65.116.45
>     zacks.com.              1200    IN      A       208.65.116.3
> 
> I’m now looking at re-implementing the code we had in place for EDNS
> probing prior to flag day 2019:
> - FORMERR/SERVFAIL/NOTIMP - try without any EDNS codes
> - No response - try with no EDNS codes on the third attempt

Please don't do that, it would further cement DNS protocol in 1998.

If you really really _really_ need a simple "workaround" send RFC 6975 signals only to root servers. That should be enough to provide researchers with data how RFC 6975+algo deployment is going without breaking weird auths.

See below for long-term proposal.


> 
> Still trying to think of a way to make this negatively affect the domain that
> misbehaves without negatively affecting our support folks :(
> 
> Any tips around this would be helpful (any resolvers do ECS probing for
> example?).

I think we (= resolver vendors) should coordinate first. There is no rush for RFC 6975 deployment so we can plan and act together to finally get DNS protocol into 21st century.

For example if we coordinated RFC 6975 deployment on major resolvers could push auths to action. DNS Flag day 2019 had major impact and DAU/DHU/N3U options are opportunity to clear up the rest.

If needed we can modify https://gitlab.labs.nic.cz/knot/edns-zone-scanner/ to test also  DAU/DHU/N3U options and compile list of shame, unfortunatelly it is the only thing which seems to work.
(I'm happy to help with that but I'm sick at the moment, let's talk later...)

Petr Špaček  @  CZ.NIC



> 
>> Brian
> 
>> On Jun 3, 2020, at 1:52 AM, Petr Špaček <petr.spacek at nic.cz> wrote:
>>
>> On 03. 06. 20 7:18, Brian Somers wrote:
>>> On May 28, 2020, at 10:35 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>>>>
>>>> Enough time has passed since the need to abandon SHA-1 has become
>>>> more pressing to discern at least a couple short-term trend-lines.
>>>
>>> Along these lines, have any of the large resolvers implemented
>>> RFC 6975 (DAU/DHU/N3U EDNS codes)?  OpenDNS/Cisco
>>> enabled these a couple of weeks ago but had to disable them
>>> pending qq.com being fixed (its nameservers returned
>>> SERVFAIL).  Now that the fix is there, we’re planning to turn
>>> it up again at the end of the week.
>>>
>>> Just curious about its adoption… it feels like we testing new
>>> waters here.
>>
>> I believe you are the first, congrats! :-)
>>
>> It was not feasible to implement before https://dnsflagday.net/2019/ and then, you know, nobody asked for it ...
>>
>> Please report other issues you eventually encounter, I would bet there will be couple more lurking somewhere.
>>
>> -- 
>> Petr Špaček  @  CZ.NIC

More information about the dns-operations mailing list