zlacker

[parent] [thread] 7 comments
1. akerl_+(OP)[view] [source] 2019-05-04 19:26:20
This diverges pretty hard from your earlier comparison, between this scenario and the Linux kernel breaking userspace.

If a dev updates their code so it won’t run unless an kernel flag is enabled, the kernel hasn’t broken userspace, and kernel devs are unlikely to add a “fake-enabled-flag” to trick the userspace program, even if it’s popular.

Likewise, I don’t expect my DNS resolver to add in custom behavior if upstream DNS servers make breaking changes like this. In fact, I very much prefer the opposite: my DNS service should be as dumb as possible. I don’t want it making choices about how to modify DNS queries I do, or their results.

If an upstream site broke their DNSSEC config, would you lobby for Cloudflare to modify the results so resolution succeeded for their users?

replies(2): >>ikeboy+s >>ikeboy+T
2. ikeboy+s[view] [source] 2019-05-04 19:29:52
>>akerl_+(OP)
If every other resolver works, then I expect Cloudflare to work.

The kernel hardcodes plenty of hacky things to get specific hardware to work.

replies(1): >>TheGod+2D
3. ikeboy+T[view] [source] 2019-05-04 19:33:12
>>akerl_+(OP)
Besides, my reading is:

Every other resolver supports EDNS

Archive.is only works with resolvers that support EDNS

Cloudflare decided not to support EDNS

That itself is a defendable decision but I do feel for a popular site they could implement some sort of fix.

replies(4): >>tambre+i2 >>akerl_+f3 >>Thorre+76 >>wolco+Bi
◧◩
4. tambre+i2[view] [source] [discussion] 2019-05-04 19:43:19
>>ikeboy+T
Cloudflare does support EDNS. They just don't forward the client's subnet due to being privacy-oriented, doing which is optional and perfectly valid.
◧◩
5. akerl_+f3[view] [source] [discussion] 2019-05-04 19:51:43
>>ikeboy+T
Notably, Level3 and Hurricane Electric both appear to not use ECS, and archive.is resolves properly from those. Which seems to clarify that this isn’t a technical requirement for archive.is to work, it’s an intentional protest by the archive.is operators against Cloudflare.
◧◩
6. Thorre+76[view] [source] [discussion] 2019-05-04 20:13:56
>>ikeboy+T 

    dig @carl.archive.is archive.is A +noedns
responds 134.119.220.26

    curl http://134.119.220.26 -H 'Host: archive.is' -v
responds with HTML of the site.

I'm not a dig expert, but I believe this means it works without EDNS. I think that means archive.is is specifically blocking Cloudflare's servers, not blocking all non-EDNS requests.

◧◩
7. wolco+Bi[view] [source] [discussion] 2019-05-04 22:33:08
>>ikeboy+T
They need something that works for all sites.
◧◩
8. TheGod+2D[view] [source] [discussion] 2019-05-05 03:59:56
>>ikeboy+s
When the Linux Kernel hardcodes an "acceptable DNS resolver" list into net/, then that argument might be valid, but for now, it isn't.

Archive.is operators are throwing a temper tantrum. It isn't in Cloud Flare or anyone else's best interest to appease them.

[go to top]