<div dir="ltr"><div dir="ltr"><div dir="ltr">On Wed, Apr 17, 2019 at 2:33 PM Jon Reed <<a href="mailto:jreed@akamai.com">jreed@akamai.com</a>> wrote:</div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
On Wed, 17 Apr 2019, Dave Lawrence wrote:<br>
> Beyond that, the other modes needed their own attention from<br>
> developers and things got cleaned up a lot. I don't know what the<br>
> current status is, as I've been gone from Akamai for over a year now,<br>
> but I believe they've got only just a few rarely-encountered edge<br>
> cases where ENTs could be a problem now. Perhaps Jon could comment if<br>
> they've hit 100% yet.<br>
<br>
We're not quite at 100%, there are still some problems with a few of less <br>
common modes, but there's work underway to fix them. But we're close <br>
enough that I'd feel comfortable embracing another flag day around RFC <br>
8020, for example.</blockquote><div><br></div><div>That would be nice. Despite being an author of RFC 8020, I might be</div><div>hesitant to recommend *unilateral* embrace of RFC 8020 though. Besides</div><div>the potential incorrect ENT response issue, there is a concern that 8020 can</div><div>amplify the effect of DNS spoofing by allowing an adversary to prune out a</div><div>large subtree of the DNS in one go, rather than individual nodes. If DNSSEC</div><div>was omnipresent, there would of course be no concern, but I'm not sure we</div><div>will ever be there. This issue is described in the Security Considerations of</div><div>the RFC, where one possible implementation suggestion is to do this only</div><div>when the NXDOMAIN response can be authenticated with DNSSEC.</div><div><br></div><div>Note that recent versions of Unbound already implement RFC 8020 by default,</div><div>but as described above, only for authenticated NXDOMAIN responses. The other </div><div>probable reason this might be a good strategy is that signed zones will most likely</div><div>get ENT responses correct, for reasons already discussed previously in this</div><div>thread. The Unbound configuration knob is called "harden-below-nxdomain". I</div><div>am not currently aware of any other resolvers that implement 8020, but would</div><div>be happy to be educated.</div><div><br></div><div>Incidentally, the upcoming DNS-OARC workshop has a Flag Day panel scheduled,</div><div>and one of the questions they will ask is what to do for the next flag day. Feel free</div><div>to propose this!</div><div><br></div><div> <a href="https://indico.dns-oarc.net/event/31/contributions/678/">https://indico.dns-oarc.net/event/31/contributions/678/</a><br></div><div><br></div><div>Shumon.</div><div> <br></div></div></div></div>