FORMERR responses after upgrading resolver from 9.16 to 9.18.8
Borja Marcos
borjam at sarenet.es
Fri Oct 21 08:50:41 UTC 2022
> On 21 Oct 2022, at 03:51, Mark Andrews <marka at isc.org> wrote:
>
>>
>>
>>>> Of course I would prefer to upgrade back to 9.18.X, but I guess I won't be able to find all EDNS0 incompatible servers and loosing customers to 8.8.8.8 - which is able to resolve these names..
>>> This is kind of moot argument - the DNS needs to evolve, and it can't evolve if we keep supporting broken stuff. This needs to be fixed on the authoritative operator side, not in BIND 9.
>>
>> You're absolutely right. I guess I've just kind of given up on convincing other people the fix their stuff (dayjob trauma). Sorry about that.
>
> It’s also a very small percentage of servers that are broken. If you look at the time series
> on https://ednscomp.isc.org/ you can drill done and see the values. For example there are a
> little over 10 servers for all zones in .GOV that exhibit this broken behaviour. It’s gone
> from ~11% in 2014 to 0.26% currently. We are at the mop up stage. For some other populations
> we are at 0%.
>
> The EDNS specification was updated in April 2013 to specify some unspecified behaviour. In
> particular this was added.
While I hearfully agree with the need to polish the network, some measures can be a problem unless there is a really big
commitment from the Big Guns.
In my case I had to abort an upgrade to 9.18 on our recursive servers because, well, “Google DNS worked better than ours”
going back to 9.16.
I know it´s the same situation that happened when Internet Explorer “successfully” rendered all kinds of abominations while proper web
clients barfed (with good reason!) and I also know that lousy formats and lack of respect for standars are the breeding
ground of serious security incidents.
End of rant: A wider consensus is needed.
Borja.
More information about the bind-users
mailing list