Re: [dns-operations] Google Public DNS has enabled case randomization globally
--- Begin Message --- Paul Vixie via dns-operations wrote on 2023-07-29 17:35: back in the day, only one rdns server was downcasing on cache miss, and it was one of google's. dave presotto fixed it in about a day. apologies (obvious). it was an authority for l.google.com, not rdns. -- P Vixie --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Google Public DNS has enabled case randomization globally
--- Begin Message --- Evan Hunt wrote on 2023-07-29 13:58: (Resending because I accidentally replied privately.) likewise. Evan Hunt wrote on 2023-07-29 13:55: On Sat, Jul 29, 2023 at 09:07:21AM -0700, Paul Vixie wrote: ... would the google dns team be willing to contribute to this draft in the ietf dns wg? we have not pressed the matter since 2008 simply because noone cared. with google now deploying it for quad8, i think we might get a different result today than we got 14 years ago. Case randomization has been supported in quite a lot of resolvers for quite a long while. I know for sure that unbound and knot resolver both have it. (BIND doesn't, I'm not sure why not; we just never got around to it, I suppose.) perhaps there would be many reviewers, then. If, on top of these other implementations, google is now deploying it, then they must have found it non-harmful, which would imply that all or nearly all currently-deployed authoritative server software must be repsonding to case-randomized queries correctly. back in the day, only one rdns server was downcasing on cache miss, and it was one of google's. dave presotto fixed it in about a day. As I recall, the 0x20 draft was mostly discussion of the problem space; the> only normative part was a protocol clarification that the question section has to be copied bit-for-bit into replies. ... no. retry and fallback were specified. google's logic as described up-thread is more subtle than what we recommended. that's where a standard is needed, though i think we should also refer to every RFC where bit-for-bit naming in cache misses is implied or stated. If I'm mistaken about that, and it's still only implicit, then I'd support clarifying the protocol in that way. If it's already been clarified, though, then I'm not sure why a 0x20 RFC is needed now. we need to share knowledge about how to live with this change, simply because until the 0x20 draft came along, unexpected behaviour was able to be codified far and wide. sort of like drop-all-fragments was able to become the norm in the decades before EDNS. -- P Vixie --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Google Public DNS has enabled case randomization globally
--- Begin Message --- On Sat, Jul 29, 2023 at 5:06 PM Evan Hunt wrote: > > (Resending because I accidentally replied privately.) > > On Sat, Jul 29, 2023 at 09:07:21AM -0700, Paul Vixie via dns-operations wrote: > > < > draft “Use of Bit 0x20 in DNS Labels to Improve Transaction Identity”, is > > highly effective and widely supported.>> > > > > would the google dns team be willing to contribute to this draft in the ietf > > dns wg? we have not pressed the matter since 2008 simply because noone > > cared. with google now deploying it for quad8, i think we might get a > > different result today than we got 14 years ago. > > Case randomization has been supported in quite a lot of resolvers for > quite a long while. I know for sure that unbound and knot resolver both > have it. (BIND doesn't, I'm not sure why not; we just never got around to > it, I suppose.) > > If, on top of these other implementations, google is now deploying it, then > they must have found it non-harmful, which would imply that all or nearly > all currently-deployed authoritative server software must be repsonding to > case-randomized queries correctly. There are still a number of operators that are broken where we have had to auto-detect and/or config disable case randomization. The worst are the small number that return NXDOMAIN for the queries or timeout. > > As I recall, the 0x20 draft was mostly discussion of the problem space; the > only normative part was a protocol clarification that the question section > has to be copied bit-for-bit into replies. That was already implicit in > other RFCs at the time... and, though I can't remember where at the moment, > I could just about swear it's been made explicit since then. (I remember > discussing this with Paul Hoffman at an OARC meeting in 2014; perhaps he > can call up the chapter and verse?) > > If I'm mistaken about that, and it's still only implicit, then I'd support > clarifying the protocol in that way. If it's already been clarified, > though, then I'm not sure why a 0x20 RFC is needed now. I do not recall this during my attendance of the IETF dnsop sessions but I could easily have missed this. Will have to wait for Paul Hoffman to chime in here. Barring such an RFC update, I believe a requirement update would be helpful for compliance. -Puneet Sood > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. > > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Google Public DNS has enabled case randomization globally
(Resending because I accidentally replied privately.) On Sat, Jul 29, 2023 at 09:07:21AM -0700, Paul Vixie via dns-operations wrote: > < draft “Use of Bit 0x20 in DNS Labels to Improve Transaction Identity”, is > highly effective and widely supported.>> > > would the google dns team be willing to contribute to this draft in the ietf > dns wg? we have not pressed the matter since 2008 simply because noone > cared. with google now deploying it for quad8, i think we might get a > different result today than we got 14 years ago. Case randomization has been supported in quite a lot of resolvers for quite a long while. I know for sure that unbound and knot resolver both have it. (BIND doesn't, I'm not sure why not; we just never got around to it, I suppose.) If, on top of these other implementations, google is now deploying it, then they must have found it non-harmful, which would imply that all or nearly all currently-deployed authoritative server software must be repsonding to case-randomized queries correctly. As I recall, the 0x20 draft was mostly discussion of the problem space; the only normative part was a protocol clarification that the question section has to be copied bit-for-bit into replies. That was already implicit in other RFCs at the time... and, though I can't remember where at the moment, I could just about swear it's been made explicit since then. (I remember discussing this with Paul Hoffman at an OARC meeting in 2014; perhaps he can call up the chapter and verse?) If I'm mistaken about that, and it's still only implicit, then I'd support clarifying the protocol in that way. If it's already been clarified, though, then I'm not sure why a 0x20 RFC is needed now. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Google Public DNS has enabled case randomization globally
--- Begin Message ---> would the google dns team be willing to contribute to this draft in the ietf dns wg? we have not pressed the matter since 2008 simply because noone cared. with google now deploying it for quad8, i think we might get a different result today than we got 14 years ago. Tianhao Chi via dns-operations wrote on 2023-07-26 09:46: ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- P Vixie --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Why is DNS still hard to learn?
--- Begin Message --- Wireshark is a good DNS teacher unless DoT/DoH is in play. Resillience of the DNS system is why most people know little about it. People just take it for granted. Rubens Em 29 de jul. de 2023 09:20, em 09:20, Stephane Bortzmeyer escreveu: >As usual, a good practical article by Julia Evans: > >https://jvns.ca/blog/2023/07/28/why-is-dns-still-hard-to-learn/ >___ >dns-operations mailing list >dns-operations@lists.dns-oarc.net >https://lists.dns-oarc.net/mailman/listinfo/dns-operations --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] Why is DNS still hard to learn?
As usual, a good practical article by Julia Evans: https://jvns.ca/blog/2023/07/28/why-is-dns-still-hard-to-learn/ ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations