FORMERR responses after upgrading resolver from 9.16 to 9.18.8

[Borja Marcos]

> On 21 Oct 2022, at 03:51, Mark Andrews <marka at isc.org> wrote:
> 
>> 
>> 
>>>> Of course I would prefer to upgrade back to 9.18.X, but I guess I won't be able to find all EDNS0 incompatible servers and loosing customers to 8.8.8.8 - which is able to resolve these names..
>>> This is kind of moot argument - the DNS needs to evolve, and it can't evolve if we keep supporting broken stuff. This needs to be fixed on the authoritative operator side, not in BIND 9.
>> 
>> You're absolutely right. I guess I've just kind of given up on convincing other people the fix their stuff (dayjob trauma). Sorry about that.
> 
> It’s also a very small percentage of servers that are broken.  If you look at the time series
> on https://ednscomp.isc.org/ you can drill done and see the values.  For example there are a
> little over 10 servers for all zones in .GOV that exhibit this broken behaviour.  It’s gone
> from ~11% in 2014 to 0.26% currently.  We are at the mop up stage.  For some other populations
> we are at 0%.
> 
> The EDNS specification was updated in April 2013 to specify some unspecified behaviour.  In
> particular this was added.

While I hearfully agree with the need to polish the network, some measures can be a problem unless there is a really big
commitment from the Big Guns.

In my case I had to abort an upgrade to 9.18 on our recursive servers because, well, “Google DNS worked better than ours”
going back to 9.16.

I know it´s the same situation that happened when Internet Explorer “successfully” rendered all kinds of abominations while proper web
clients barfed (with good reason!) and I also know that lousy formats and lack of respect for standars are the breeding
ground of serious security incidents.

End of rant: A wider consensus is needed.





Borja.