ietf
[Top] [All Lists]

Re: IETF web site behind CloudFlare

2014-09-17 17:58:06

I mispoke.  ENOCOFFEE

That said there is still no logical reason to block EDNS version 1 queries
or queries with Z flag bits set.

Mark

In message 
<20140917223020(_dot_)BD8E01FAE299(_at_)rock(_dot_)dv(_dot_)isc(_dot_)org>, 
Mark Andrews writes:

Well we could ask them to implement EDNS correctly let alone DNSSEC.
The following query should succeed but doesn't.

dig www.ietf.org.cdn.cloudflare.net @www.ietf.org.cdn.cloudflare.net +edns=1

There are no sane reasons to block EDNS negotiation.

Similarly there is no sane reason to drop EDNS queries with a Z flag bit set.
The following query also times out (requires dig from BIND 9.11.0 or later).

dig www.ietf.org.cdn.cloudflare.net @www.ietf.org.cdn.cloudflare.net +ednsfla
gs=0x80

Dropping either +edns=1 or +ednsflags=0x80 results in a successful EDNS query
.

The expected behaviour for both of these queries is well defined for EDNS(0)
servers.  Return BADVERS for +edns=1 and ignore the flag bit in the request.

If you let EDNS version 0 queries through a firewall there is zero reasons to
block either of these queries.

Mark

In message <823592EC-DF0E-4680-8C51-FF9EECCCDF5A(_at_)virtualized(_dot_)org>, 
David Conr
ad
 writes:

--Apple-Mail=_EE86F3A2-D263-4FF4-A325-9451DF4B0FF1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
    charset=windows-1252

On Sep 17, 2014, at 1:22 PM, Ross Finlayson 
<finlayson(_at_)live555(_dot_)com> =
wrote:
On Sep 17, 2014, at 8:56 AM, David Conrad 
<drc(_at_)virtualized(_dot_)org> wrote:
If a connection attempt is made to a CloudFlare customer from a =
source IP address used in an attack, that connection is thrown over to a =
CAPTCHA.
Can the IETF not be trusted to secure it's own server(s)? =20

Sure. How much do you want to spend?

Why have we contracted to a 3rd party that chooses to act as a =
'Nanny=92?

Odd phrasing. It=92s a feature of the service CloudFlare sells. It is =
(or was, haven=92t looked in a number of years) tunable.

Regards,
-drc


--Apple-Mail=_EE86F3A2-D263-4FF4-A325-9451DF4B0FF1
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
    filename=signature.asc
Content-Type: application/pgp-signature;
    name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJUGfaGAAoJENV6ebf0/4rXphoIAOcl/sYFFinEcSFBBRXPtQPE
OwAGZikILbgninZ7P8ElJVQz5SkhBcAitz/UgjuGWQUxzogMV8N6RywQLQPsufXe
XjfWDu/9NtETWA/B3rcOW6ga3frq9YlGZcb1BTe/gBrfoEbY/AMWaUWnVUrwz3eI
E76uR4iKMyJO71FOWob8HwCxUuvX0kHLF05Cyt40+GFlOEhkdekXiHsCEw1/rBHO
rON4PRpmhUzE7CC7QJiQhzliZI6+FQBIcH/fUtwJrg9BTY3i1bbsSzQ37SPLOVIf
uSdby19cWaKvZeSkw5ecRiFEYbqe9pFyyYRvdRVA4LzXaLZVhgrUk80tsoL19Js=
=p2mY
-----END PGP SIGNATURE-----

--Apple-Mail=_EE86F3A2-D263-4FF4-A325-9451DF4B0FF1--

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka(_at_)isc(_dot_)org

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka(_at_)isc(_dot_)org