Well we could ask them to implement EDNS correctly let alone DNSSEC.
The following query should succeed but doesn't.
dig www.ietf.org.cdn.cloudflare.net @www.ietf.org.cdn.cloudflare.net +edns=1
There are no sane reasons to block EDNS negotiation.
Similarly there is no sane reason to drop EDNS queries with a Z flag bit set.
The following query also times out (requires dig from BIND 9.11.0 or later).
dig www.ietf.org.cdn.cloudflare.net @www.ietf.org.cdn.cloudflare.net
+ednsflags=0x80
Dropping either +edns=1 or +ednsflags=0x80 results in a successful EDNS query.
The expected behaviour for both of these queries is well defined for EDNS(0)
servers. Return BADVERS for +edns=1 and ignore the flag bit in the request.
If you let EDNS version 0 queries through a firewall there is zero reasons to
block either of these queries.
Mark
In message <823592EC-DF0E-4680-8C51-FF9EECCCDF5A(_at_)virtualized(_dot_)org>,
David Conrad
writes:
--Apple-Mail=_EE86F3A2-D263-4FF4-A325-9451DF4B0FF1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
On Sep 17, 2014, at 1:22 PM, Ross Finlayson
<finlayson(_at_)live555(_dot_)com> =
wrote:
On Sep 17, 2014, at 8:56 AM, David Conrad <drc(_at_)virtualized(_dot_)org>
wrote:
If a connection attempt is made to a CloudFlare customer from a =
source IP address used in an attack, that connection is thrown over to a =
CAPTCHA.
Can the IETF not be trusted to secure it's own server(s)? =20
Sure. How much do you want to spend?
Why have we contracted to a 3rd party that chooses to act as a =
'Nanny=92?
Odd phrasing. It=92s a feature of the service CloudFlare sells. It is =
(or was, haven=92t looked in a number of years) tunable.
Regards,
-drc
--Apple-Mail=_EE86F3A2-D263-4FF4-A325-9451DF4B0FF1
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJUGfaGAAoJENV6ebf0/4rXphoIAOcl/sYFFinEcSFBBRXPtQPE
OwAGZikILbgninZ7P8ElJVQz5SkhBcAitz/UgjuGWQUxzogMV8N6RywQLQPsufXe
XjfWDu/9NtETWA/B3rcOW6ga3frq9YlGZcb1BTe/gBrfoEbY/AMWaUWnVUrwz3eI
E76uR4iKMyJO71FOWob8HwCxUuvX0kHLF05Cyt40+GFlOEhkdekXiHsCEw1/rBHO
rON4PRpmhUzE7CC7QJiQhzliZI6+FQBIcH/fUtwJrg9BTY3i1bbsSzQ37SPLOVIf
uSdby19cWaKvZeSkw5ecRiFEYbqe9pFyyYRvdRVA4LzXaLZVhgrUk80tsoL19Js=
=p2mY
-----END PGP SIGNATURE-----
--Apple-Mail=_EE86F3A2-D263-4FF4-A325-9451DF4B0FF1--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org