On Wed, Jun 22, 2016 at 1:52 AM, Mark Andrews <[email protected]> wrote: > > In message > <CAC=TB13tLt0GafJq3r+v5WQ6Sjx0jWNpZMbpCH+p7BCUG_Cc=q...@mail.gmail.com>, > =?UTF-8?Q?Marek_Vavru=C5=A1a?= writes: >> >> This affects several major DNS providers currently. I've heard Akamai >> is rolling out update, but it's still returning NXDOMAIN for ENTs. >> While deploying the draft in the current state of Internet is not >> really viable and pointing out various broken implementations is fun, >> I think it's good to have this draft as a reference from now on. >> >> Marek > > Which is really not a reason to not deploy. There are lots of > things broken in deployed nameservers and waiting for them to be > fixed before deploying would result in us never deploying new > features. > > We are pushing ahead with deploying DNS COOKIES, on by default, > despite knowing that it will result on resolution failures for a > small percentage of zones, slower (extra round trips for incorrect > rcodes) and very slow (multiple seconds as we discover the poorly > configured firewalls) lookups to others and "wrong" results for > still others (NODATA instead of DATA, NXDOMAIN instead of DATA).
Deploying DNS COOKIES is a completely different risk. It is likely to result in "small percentage" of resolution failures with some really broken intermediates. Broken NXDOMAIN for ENT sadly affects large portion of the Internet (CDNs notably). While I personally would be okay to flip the switch for testing, I wouldn't do so in a position of big recursive service. > We also shouldn't put on hold deploying changes to depending upon > correct ENT behaviour. It's not like people haven't had a decade > to fix their servers since the issue was identified. How are you imagining to enforce that? The only thing a software vendor can do is to give operators the option, but deploying that is decision of someone else. It's not like you and me are going to rappel down to Google's mainframe tomorrow and deploy worldwide. > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
