[dns-operations] Google Public DNS has enabled case randomization globally

Puneet Sood puneets at google.com
Sat Jul 29 21:20:54 UTC 2023


On Sat, Jul 29, 2023 at 5:06 PM Evan Hunt <each at isc.org> wrote:
>
> (Resending because I accidentally replied privately.)
>
> On Sat, Jul 29, 2023 at 09:07:21AM -0700, Paul Vixie via dns-operations wrote:
> > <<We discovered that this mechanism, originally proposed in a March 2008
> > draft “Use of Bit 0x20 in DNS Labels to Improve Transaction Identity”, is
> > highly effective and widely supported.>>
> >
> > would the google dns team be willing to contribute to this draft in the ietf
> > dns wg? we have not pressed the matter since 2008 simply because noone
> > cared. with google now deploying it for quad8, i think we might get a
> > different result today than we got 14 years ago.
>
> Case randomization has been supported in quite a lot of resolvers for
> quite a long while.  I know for sure that unbound and knot resolver both
> have it.  (BIND doesn't, I'm not sure why not; we just never got around to
> it, I suppose.)
>
> If, on top of these other implementations, google is now deploying it, then
> they must have found it non-harmful, which would imply that all or nearly
> all currently-deployed authoritative server software must be repsonding to
> case-randomized queries correctly.

There are still a number of operators that are broken where we have
had to auto-detect and/or config disable case randomization. The worst
are the small number that return NXDOMAIN for the queries or timeout.

>
> As I recall, the 0x20 draft was mostly discussion of the problem space; the
> only normative part was a protocol clarification that the question section
> has to be copied bit-for-bit into replies. That was already implicit in
> other RFCs at the time... and, though I can't remember where at the moment,
> I could just about swear it's been made explicit since then. (I remember
> discussing this with Paul Hoffman at an OARC meeting in 2014; perhaps he
> can call up the chapter and verse?)
>
> If I'm mistaken about that, and it's still only implicit, then I'd support
> clarifying the protocol in that way.  If it's already been clarified,
> though, then I'm not sure why a 0x20 RFC is needed now.

I do not recall this during my attendance of the IETF dnsop sessions
but I could easily have missed this. Will have to wait for Paul
Hoffman to chime in here. Barring such an RFC update, I believe a
requirement update would be helpful for compliance.

-Puneet Sood

>
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list