zlacker

[parent] [thread] 8 comments
1. ikeboy+(OP)[view] [source] 2019-05-04 19:20:08
The right thing for cloudflare to do then is fake the EDNS field so that they get a valid response.

Maybe cloudflare doesn't want to code an ad-hoc solution just to fix one site. But that doesn't matter to the customer, who just wants it to work.

replies(1): >>akerl_+I
2. akerl_+I[view] [source] 2019-05-04 19:26:20
>>ikeboy+(OP)
This diverges pretty hard from your earlier comparison, between this scenario and the Linux kernel breaking userspace.

If a dev updates their code so it won’t run unless an kernel flag is enabled, the kernel hasn’t broken userspace, and kernel devs are unlikely to add a “fake-enabled-flag” to trick the userspace program, even if it’s popular.

Likewise, I don’t expect my DNS resolver to add in custom behavior if upstream DNS servers make breaking changes like this. In fact, I very much prefer the opposite: my DNS service should be as dumb as possible. I don’t want it making choices about how to modify DNS queries I do, or their results.

If an upstream site broke their DNSSEC config, would you lobby for Cloudflare to modify the results so resolution succeeded for their users?

replies(2): >>ikeboy+a1 >>ikeboy+B1
◧◩
3. ikeboy+a1[view] [source] [discussion] 2019-05-04 19:29:52
>>akerl_+I
If every other resolver works, then I expect Cloudflare to work.

The kernel hardcodes plenty of hacky things to get specific hardware to work.

replies(1): >>TheGod+KD
◧◩
4. ikeboy+B1[view] [source] [discussion] 2019-05-04 19:33:12
>>akerl_+I
Besides, my reading is:

Every other resolver supports EDNS

Archive.is only works with resolvers that support EDNS

Cloudflare decided not to support EDNS

That itself is a defendable decision but I do feel for a popular site they could implement some sort of fix.

replies(4): >>tambre+03 >>akerl_+X3 >>Thorre+P6 >>wolco+jj
◧◩◪
5. tambre+03[view] [source] [discussion] 2019-05-04 19:43:19
>>ikeboy+B1
Cloudflare does support EDNS. They just don't forward the client's subnet due to being privacy-oriented, doing which is optional and perfectly valid.
◧◩◪
6. akerl_+X3[view] [source] [discussion] 2019-05-04 19:51:43
>>ikeboy+B1
Notably, Level3 and Hurricane Electric both appear to not use ECS, and archive.is resolves properly from those. Which seems to clarify that this isn’t a technical requirement for archive.is to work, it’s an intentional protest by the archive.is operators against Cloudflare.
◧◩◪
7. Thorre+P6[view] [source] [discussion] 2019-05-04 20:13:56
>>ikeboy+B1 

    dig @carl.archive.is archive.is A +noedns
responds 134.119.220.26

    curl http://134.119.220.26 -H 'Host: archive.is' -v
responds with HTML of the site.

I'm not a dig expert, but I believe this means it works without EDNS. I think that means archive.is is specifically blocking Cloudflare's servers, not blocking all non-EDNS requests.

◧◩◪
8. wolco+jj[view] [source] [discussion] 2019-05-04 22:33:08
>>ikeboy+B1
They need something that works for all sites.
◧◩◪
9. TheGod+KD[view] [source] [discussion] 2019-05-05 03:59:56
>>ikeboy+a1
When the Linux Kernel hardcodes an "acceptable DNS resolver" list into net/, then that argument might be valid, but for now, it isn't.

Archive.is operators are throwing a temper tantrum. It isn't in Cloud Flare or anyone else's best interest to appease them.

[go to top]