zlacker

https://twitter.com/archiveis/status/999788186904576002 claims that cloudflare isn't supporting a protocol that would enable it to work with their servers.

>>ikeboy+(OP)
That’s not an accurate read of archive.is’s behavior. EDNS is an optional feature.

archive.is has configured their nameservers to return invalid (127.0.0.0/8, from the looks of it) responses to Cloudflare requests because they’re protesting Cloudflare’s lack of EDNS, not because EDNS is somehow required to handle the requests.

For context: EDNS sends the origin IP address of the DNS client through the resolver. Cloudflare has it disabled because of the privacy implications of sending it along.

>>akerl_+p
The right thing for cloudflare to do then is fake the EDNS field so that they get a valid response.

Maybe cloudflare doesn't want to code an ad-hoc solution just to fix one site. But that doesn't matter to the customer, who just wants it to work.

>>ikeboy+(OP)
Archive.is does not appear to specify in detail what operational issues result from the missing client subnet EDNS data. We can speculate, though. Is it for data harvesting purposes, or for global load balancing concerns? Are users complaining due to some unknown side effect? Are localized in-country-firewall servers receiving traffic from out-country clients?

>>ikeboy+L
This diverges pretty hard from your earlier comparison, between this scenario and the Linux kernel breaking userspace.

If a dev updates their code so it won’t run unless an kernel flag is enabled, the kernel hasn’t broken userspace, and kernel devs are unlikely to add a “fake-enabled-flag” to trick the userspace program, even if it’s popular.

Likewise, I don’t expect my DNS resolver to add in custom behavior if upstream DNS servers make breaking changes like this. In fact, I very much prefer the opposite: my DNS service should be as dumb as possible. I don’t want it making choices about how to modify DNS queries I do, or their results.

If an upstream site broke their DNSSEC config, would you lobby for Cloudflare to modify the results so resolution succeeded for their users?

>>akerl_+t1
If every other resolver works, then I expect Cloudflare to work.

The kernel hardcodes plenty of hacky things to get specific hardware to work.

>>akerl_+t1
Besides, my reading is:

Every other resolver supports EDNS

Archive.is only works with resolvers that support EDNS

Cloudflare decided not to support EDNS

That itself is a defendable decision but I do feel for a popular site they could implement some sort of fix.

>>ikeboy+m2
Cloudflare does support EDNS. They just don't forward the client's subnet due to being privacy-oriented, doing which is optional and perfectly valid.

>>ikeboy+m2
Notably, Level3 and Hurricane Electric both appear to not use ECS, and archive.is resolves properly from those. Which seems to clarify that this isn’t a technical requirement for archive.is to work, it’s an intentional protest by the archive.is operators against Cloudflare.

>>ikeboy+m2

    dig @carl.archive.is archive.is A +noedns

responds 134.119.220.26

    curl http://134.119.220.26 -H 'Host: archive.is' -v

responds with HTML of the site.

I'm not a dig expert, but I believe this means it works without EDNS. I think that means archive.is is specifically blocking Cloudflare's servers, not blocking all non-EDNS requests.

>>ikeboy+m2
They need something that works for all sites.

>>ikeboy+V1
When the Linux Kernel hardcodes an "acceptable DNS resolver" list into net/, then that argument might be valid, but for now, it isn't.

Archive.is operators are throwing a temper tantrum. It isn't in Cloud Flare or anyone else's best interest to appease them.