[dns-operations] Google Public DNS has enabled case randomization globally

Evan Hunt each at isc.org
Sat Jul 29 20:58:16 UTC 2023


(Resending because I accidentally replied privately.)

On Sat, Jul 29, 2023 at 09:07:21AM -0700, Paul Vixie via dns-operations wrote:
> <<We discovered that this mechanism, originally proposed in a March 2008
> draft “Use of Bit 0x20 in DNS Labels to Improve Transaction Identity”, is
> highly effective and widely supported.>>
> 
> would the google dns team be willing to contribute to this draft in the ietf
> dns wg? we have not pressed the matter since 2008 simply because noone
> cared. with google now deploying it for quad8, i think we might get a
> different result today than we got 14 years ago.

Case randomization has been supported in quite a lot of resolvers for
quite a long while.  I know for sure that unbound and knot resolver both
have it.  (BIND doesn't, I'm not sure why not; we just never got around to
it, I suppose.)

If, on top of these other implementations, google is now deploying it, then
they must have found it non-harmful, which would imply that all or nearly
all currently-deployed authoritative server software must be repsonding to
case-randomized queries correctly.

As I recall, the 0x20 draft was mostly discussion of the problem space; the
only normative part was a protocol clarification that the question section
has to be copied bit-for-bit into replies. That was already implicit in
other RFCs at the time... and, though I can't remember where at the moment,
I could just about swear it's been made explicit since then. (I remember
discussing this with Paul Hoffman at an OARC meeting in 2014; perhaps he
can call up the chapter and verse?)

If I'm mistaken about that, and it's still only implicit, then I'd support
clarifying the protocol in that way.  If it's already been clarified,
though, then I'm not sure why a 0x20 RFC is needed now.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.



More information about the dns-operations mailing list