Re: EDNS0 revisions

[Paul Vixie <paul@vix.com>]

[marka]
> I think formalising the reaction to timeout for EDNS failues to fall back to
> plain DNS is wrong.  As dependany of EDNS increases (e.g. DNSSEC) it is much
> more important that packet loss is treated as packet loss and not broken
> servers / middle boxes.

since many members of the wider community feel that DNSSEC is a fool's errand,
i suggest that we concentrate on less controversial motivations for EDNS0, of
which there are plenty.

> Fallback to EDNS udpsize=512 maybe but not plain DNS on timeout.  This will
> interoperate with firewalls that enforce a 512 byte packet size and not
> loose EDNS signaling which is required for DNSSEC.

first, those firewalls are broken.  just as broken as NAT boxes which rewrite
DNS packets in flight.  second, i cannot see any benefit to an additional
fallback state (full EDNS, old DNS).  we don't need one for "bufsize=512" and
we don't need one for "only use OPTION-CODEs that existed as of RFC2671".  if
full EDNS doesn't work, then fall back all the way to old DNS.  no new states.

> Yes there are some load balancers that do the wrong thing and drop queries
> but they are NOT RFC 103[45] compliant if they do that.  Codifing such
> non-compliance is wrong.
> 
> Should we codify non response to non A queries as right? 
> Should we codify NXDOMAIN responses to unknow qtypes as right?
> Should we codify returning the wrong SOA record as right for
> negative responses?

all of those things remain wrong.  but RFC2671bis' job is not to right any
wrongs, nor codify some wrongs.  all we want is greater interoperability, of
the form, "if you do things a little differently, it'll work a little better."

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>