zlacker

[parent] [thread] 9 comments
1. akerl_+(OP)[view] [source] 2019-05-04 19:16:22
That’s not an accurate read of archive.is’s behavior. EDNS is an optional feature.

archive.is has configured their nameservers to return invalid (127.0.0.0/8, from the looks of it) responses to Cloudflare requests because they’re protesting Cloudflare’s lack of EDNS, not because EDNS is somehow required to handle the requests.

For context: EDNS sends the origin IP address of the DNS client through the resolver. Cloudflare has it disabled because of the privacy implications of sending it along.

replies(1): >>ikeboy+m
2. ikeboy+m[view] [source] 2019-05-04 19:20:08
>>akerl_+(OP)
The right thing for cloudflare to do then is fake the EDNS field so that they get a valid response.

Maybe cloudflare doesn't want to code an ad-hoc solution just to fix one site. But that doesn't matter to the customer, who just wants it to work.

replies(1): >>akerl_+41
◧◩
3. akerl_+41[view] [source] [discussion] 2019-05-04 19:26:20
>>ikeboy+m
This diverges pretty hard from your earlier comparison, between this scenario and the Linux kernel breaking userspace.

If a dev updates their code so it won’t run unless an kernel flag is enabled, the kernel hasn’t broken userspace, and kernel devs are unlikely to add a “fake-enabled-flag” to trick the userspace program, even if it’s popular.

Likewise, I don’t expect my DNS resolver to add in custom behavior if upstream DNS servers make breaking changes like this. In fact, I very much prefer the opposite: my DNS service should be as dumb as possible. I don’t want it making choices about how to modify DNS queries I do, or their results.

If an upstream site broke their DNSSEC config, would you lobby for Cloudflare to modify the results so resolution succeeded for their users?

replies(2): >>ikeboy+w1 >>ikeboy+X1
◧◩◪
4. ikeboy+w1[view] [source] [discussion] 2019-05-04 19:29:52
>>akerl_+41
If every other resolver works, then I expect Cloudflare to work.

The kernel hardcodes plenty of hacky things to get specific hardware to work.

replies(1): >>TheGod+6E
◧◩◪
5. ikeboy+X1[view] [source] [discussion] 2019-05-04 19:33:12
>>akerl_+41
Besides, my reading is:

Every other resolver supports EDNS

Archive.is only works with resolvers that support EDNS

Cloudflare decided not to support EDNS

That itself is a defendable decision but I do feel for a popular site they could implement some sort of fix.

replies(4): >>tambre+m3 >>akerl_+j4 >>Thorre+b7 >>wolco+Fj
◧◩◪◨
6. tambre+m3[view] [source] [discussion] 2019-05-04 19:43:19
>>ikeboy+X1
Cloudflare does support EDNS. They just don't forward the client's subnet due to being privacy-oriented, doing which is optional and perfectly valid.
◧◩◪◨
7. akerl_+j4[view] [source] [discussion] 2019-05-04 19:51:43
>>ikeboy+X1
Notably, Level3 and Hurricane Electric both appear to not use ECS, and archive.is resolves properly from those. Which seems to clarify that this isn’t a technical requirement for archive.is to work, it’s an intentional protest by the archive.is operators against Cloudflare.
◧◩◪◨
8. Thorre+b7[view] [source] [discussion] 2019-05-04 20:13:56
>>ikeboy+X1 

    dig @carl.archive.is archive.is A +noedns
responds 134.119.220.26

    curl http://134.119.220.26 -H 'Host: archive.is' -v
responds with HTML of the site.

I'm not a dig expert, but I believe this means it works without EDNS. I think that means archive.is is specifically blocking Cloudflare's servers, not blocking all non-EDNS requests.

◧◩◪◨
9. wolco+Fj[view] [source] [discussion] 2019-05-04 22:33:08
>>ikeboy+X1
They need something that works for all sites.
◧◩◪◨
10. TheGod+6E[view] [source] [discussion] 2019-05-05 03:59:56
>>ikeboy+w1
When the Linux Kernel hardcodes an "acceptable DNS resolver" list into net/, then that argument might be valid, but for now, it isn't.

Archive.is operators are throwing a temper tantrum. It isn't in Cloud Flare or anyone else's best interest to appease them.

[go to top]