Enforce EDNS

Michael Hare michael.hare at wisc.edu
Wed Feb 8 15:56:32 UTC 2017 

+1 to Alan.  While I work at an ivory tower and support Mark's mission, in practice I don't have operational time (nor is it necessarily the best use of my time) to maintain a per-ip bypass.

100% in support of enabling this by default as long as their as an option to disable.

-Michael

> -----Original Message-----
> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Mark
> Andrews
> Sent: Tuesday, February 07, 2017 4:32 PM
> To: Reindl Harald <h.reindl at thelounge.net>
> Cc: bind-users at isc.org
> Subject: Re: Enforce EDNS
> 
> 
> In message <4b0243b1-1c89-023b-f3f3-7279216d5c69 at thelounge.net>, Reindl
> Harald
> writes:
> >
> >
> > Am 07.02.2017 um 22:11 schrieb Mark Andrews:
> > > In message <3836f038-c480-9970-fd53-a5c87ad3633e at thelounge.net>,
> Reindl Har
> > ald wr
> > > ites:
> > >>> Break them.  That's the only way it will eventually get fixed
> > >>
> > >> if things would be that easy....
> > >>
> > >> the admins of the broken servers ar the very last which are affected,
> > >> admins with a recent named have to bite the bullet of user terror and
> > >> users typically don#t give a damn when it worked yesterday
> > >>
> > >> the admins of the broken server don't give a damn about as long they can
> > >> point their fingers and say "look, the rest of the world has no lookup
> > >> errors"
> > >>
> > >> if it would be that easy the problem of spam would not exist for many
> > >> years while in reality you waste most of our time to write exceptions
> > >> here and there, disable rules or score them lower because you are not in
> > >> the position to educate every admin of sending servers out there
> > >
> > > You go over the admins head.  You go to the board of directors.
> > > You go the the minister responsible (yes, I have had to do that
> > > along with a copy to the shadow minister and the company that the
> > > DNS was outsourced to for government domains).  Good old snail mail
> >
> > if *you* do that from your position it may work but still takes time in
> > a world where it somestimes takes days and weeks to find somebody who
> > can instruct a admin to change a simple CNAME record from machine A to
> > machine B even with the directors OK and CC'ed in the message
> 
> And you can fix the issue by hand while this is going on.
> 
> 	server 74.113.204.34 { send-cookie false; };
> 	server 74.113.206.34 { send-cookie false; };
> 	server 117.56.91.203 { send-cookie false; };
> 	server 117.56.91.204 { send-cookie false; };
> 	server 117.56.91.234 { send-cookie false; };
> 	server 199.252/16 { send-cookie false; };
> 
> 	(or request-sit no; for 9.10.x)
> 
> There aren't lots of servers that drop EDNS or drop EDNS + DNS COOKIE.
> 
> The big numbers are those that drop EDNS(1) which no one is using at
> this stage.  See http://ednscomp.isc.org/
> 
> > i doubt it works the same way for a ordinary admin in a small company
> > where you to make it work because *you* broke it with the named update
> > and so your advise will be "roll back that stuff to the state of
> > yesterday where it worked and no you have not the free time to call each
> > and every company and educate them"
> >
> > problem here is that as long it's not a critical mass anybody who
> > deployed the update breaking things have to bleed for it and so you have
> > to find enough people with the power to go over admins head *before* the
> > breaking updates
> >
> > and no, when in your company people can't work because DNS is broken you
> > don't call foreign admins and directors - you have to fix that *now* and
> > after you have fixed it you have no longer arumgents why call somebody
> > with no direct relations
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> >  from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list