FORMERR responses after upgrading resolver from 9.16 to 9.18.8

Ondřej Surý ondrej at isc.org
Fri Oct 21 14:53:16 UTC 2022 

Anand,

there are two layers- Google certainly doesn’t do anything wrong, but they would do a world a favor if there was a stronger push towards compliance with DNS protocol.

On the authoritative side - it’s certainly true that neither DNS Cookies nor NSID is mandatory, but the part that is mandatory (**MUST**) is correct handling of the unknown EDNS0 option.

It’s kind of chicken-egg problem - resolver operators won’t enable DNS Cookies because there are some broken domains and the broken domains won’t fix it because it works with “big tech”. And the security suffers and everybody loses in the end.

Somebody needs to make the first step, so we did it. It’s documented in the troubleshooting section, it can be disabled, and if anybody feels there could be more or better documentation, we do accept external Merge Requests, and we do appreciate improvements to the documentation as well as to the code. The documentation is equally important as correct code, and we are not operator ourselves, so we might miss few things.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 21. 10. 2022, at 14:26, Anand Buddhdev <anandb at ripe.net> wrote:
> 
> On 21/10/2022 14:04, Hugo Salgado wrote:
> 
>> But wasn't it exactly the idea with the 2019 DNS Flag Day campaign?
>>   http://www.dnsflagday.net/2019/
>> I see Google's name there, so I would expect their commitment to refuse
>> to solve incorrect domains. They do a skinny favor to all the Internet
>> by returning to the workarounds, and blaming those who do well (as
>> Bind 9.18)
> 
> I wouldn't blame Google so quickly. The servers we're discussing in this thread return FORMERR when the query has the COOKIE or NSID options. DNS cookies are recommended (RFC uses "should") rather than mandated. Now, if the Google resolver simply isn't sending these options, then it is not affected. Similarly, a resolver like Unbound (which as far as I know doesn't send cookies yet), will also not be affected.
> 
> While DNS cookies are not mandatory, it's not fair to point a finger at a resolver that doesn't use this feature yet.
> 
> Regards,
> Anand
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list