zlacker

Just like we consider it the kernel's fault if user applications break due to a change, I think it's the DNS resolver's fault if they're using a protocol that some popular sites don't support.

As soon as I realized they were causing this issue I just switched away. Other DNS providers don't have this issue.

replies(1): >>akerl_+B

>>ikeboy+(OP)
It doesn’t really seem to be the resolvers “using a protocol that [archive.is] doesn’t support”; it seems that archive.is responds to queries from Cloudflare’s systems with an incorrect response. How is Cloudflare meant to work around that kind of behavior?

replies(2): >>ikeboy+21 >>Chloru+p1

>>akerl_+B
https://twitter.com/archiveis/status/999788186904576002 claims that cloudflare isn't supporting a protocol that would enable it to work with their servers.

replies(2): >>akerl_+r1 >>floati+02

>>akerl_+B
>"it seems that archive.is responds to queries from Cloudflare’s systems with an incorrect response."

What makes the response incorrect? I was under the impression that DNS implementations were under no "practical" obligation to return consistent queries to differing requester IP addresses (hence stuff like split-horizon DNS and EDNS: https://developers.google.com/speed/public-dns/docs/ecs )

replies(3): >>akerl_+y1 >>Chloru+Q1 >>Hello7+3q

>>ikeboy+21
That’s not an accurate read of archive.is’s behavior. EDNS is an optional feature.

archive.is has configured their nameservers to return invalid (127.0.0.0/8, from the looks of it) responses to Cloudflare requests because they’re protesting Cloudflare’s lack of EDNS, not because EDNS is somehow required to handle the requests.

For context: EDNS sends the origin IP address of the DNS client through the resolver. Cloudflare has it disabled because of the privacy implications of sending it along.

replies(1): >>ikeboy+N1

>>Chloru+p1
Sorry, to clarify: when archive.is receives a DNS lookup from Cloudflare’s resolvers, they reply with an IP in the 127.0.0.0/8 range, so the origin client is unable to connect (since those IPs aren’t routable over the internet).

>>akerl_+r1
The right thing for cloudflare to do then is fake the EDNS field so that they get a valid response.

Maybe cloudflare doesn't want to code an ad-hoc solution just to fix one site. But that doesn't matter to the customer, who just wants it to work.

replies(1): >>akerl_+v2

>>Chloru+p1
Thanks for the clarification on here + and the other posts, that makes perfect sense.

>>ikeboy+21
Archive.is does not appear to specify in detail what operational issues result from the missing client subnet EDNS data. We can speculate, though. Is it for data harvesting purposes, or for global load balancing concerns? Are users complaining due to some unknown side effect? Are localized in-country-firewall servers receiving traffic from out-country clients?

>>ikeboy+N1
This diverges pretty hard from your earlier comparison, between this scenario and the Linux kernel breaking userspace.

If a dev updates their code so it won’t run unless an kernel flag is enabled, the kernel hasn’t broken userspace, and kernel devs are unlikely to add a “fake-enabled-flag” to trick the userspace program, even if it’s popular.

Likewise, I don’t expect my DNS resolver to add in custom behavior if upstream DNS servers make breaking changes like this. In fact, I very much prefer the opposite: my DNS service should be as dumb as possible. I don’t want it making choices about how to modify DNS queries I do, or their results.

If an upstream site broke their DNSSEC config, would you lobby for Cloudflare to modify the results so resolution succeeded for their users?

replies(2): >>ikeboy+X2 >>ikeboy+o3

>>akerl_+v2
If every other resolver works, then I expect Cloudflare to work.

The kernel hardcodes plenty of hacky things to get specific hardware to work.

replies(1): >>TheGod+xF

>>akerl_+v2
Besides, my reading is:

Every other resolver supports EDNS

Archive.is only works with resolvers that support EDNS

Cloudflare decided not to support EDNS

That itself is a defendable decision but I do feel for a popular site they could implement some sort of fix.

replies(4): >>tambre+N4 >>akerl_+K5 >>Thorre+C8 >>wolco+6l

>>ikeboy+o3
Cloudflare does support EDNS. They just don't forward the client's subnet due to being privacy-oriented, doing which is optional and perfectly valid.

>>ikeboy+o3
Notably, Level3 and Hurricane Electric both appear to not use ECS, and archive.is resolves properly from those. Which seems to clarify that this isn’t a technical requirement for archive.is to work, it’s an intentional protest by the archive.is operators against Cloudflare.

>>ikeboy+o3

    dig @carl.archive.is archive.is A +noedns

responds 134.119.220.26

    curl http://134.119.220.26 -H 'Host: archive.is' -v

responds with HTML of the site.

I'm not a dig expert, but I believe this means it works without EDNS. I think that means archive.is is specifically blocking Cloudflare's servers, not blocking all non-EDNS requests.

>>ikeboy+o3
They need something that works for all sites.

>>Chloru+p1
It is deliberately invalid.

>>ikeboy+X2
When the Linux Kernel hardcodes an "acceptable DNS resolver" list into net/, then that argument might be valid, but for now, it isn't.

Archive.is operators are throwing a temper tantrum. It isn't in Cloud Flare or anyone else's best interest to appease them.