zlacker

[parent] [thread] 16 comments
1. profmo+(OP)[view] [source] 2019-10-04 06:44:52
> I consider EDNS-less requests from Cloudflare as invalid.

If your site depends on a DNS extension that's only 3.5 years old (and designed to be optional), I think it's fair to say your site is just offline for some users due to a config mistake.

You're free to set up your servers however you like, but there's wisdom in Postel's law.

replies(4): >>rumana+71 >>Thorre+r7 >>akvadr+ph >>throw0+Ul
2. rumana+71[view] [source] 2019-10-04 07:04:41
>>profmo+(OP)
> there's wisdom in Postel's law.

For the lazy like me: robustness principle, aka Postel's law

https://en.wikipedia.org/wiki/Robustness_principle

Thank you for the reference. I learned something today!

replies(1): >>cmroan+E2
◧◩
3. cmroan+E2[view] [source] [discussion] 2019-10-04 07:26:43
>>rumana+71
Thanks for the link, for which there's the counter-argument, "The Harmful Consequences of the Robustness Principle" [0]:

> A flaw can become entrenched as a de facto standard. Any implementation of the protocol is required to replicate the aberrant behavior, or it is not interoperable. This is both a consequence of applying Postel's advice, and a product of a natural reluctance to avoid fatal error conditions.

[0] https://tools.ietf.org/html/draft-iab-protocol-maintenance-0...

4. Thorre+r7[view] [source] 2019-10-04 08:31:14
>>profmo+(OP)
Archive.is does not block all requests lacking EDNS. They specifically block requests coming from Cloudflare's datacenters. Cloudflare is not accidentally misconfiguring their EDNS, Cloudflare is intentionally not sending EDNS.
replies(4): >>Operyl+p8 >>lagadu+U9 >>Stream+Kd >>doogli+8k
◧◩
5. Operyl+p8[view] [source] [discussion] 2019-10-04 08:44:32
>>Thorre+r7
They’re intentionally not sending an optional extension, that seems .. fair honestly.
replies(1): >>cnst+h9
◧◩◪
6. cnst+h9[view] [source] [discussion] 2019-10-04 08:58:50
>>Operyl+p8
The EDNS-Client-Subnet extension was not meant to be optional for folks running a CDN or a huge public resolver across 100+ POPs.
replies(1): >>lagadu+Y9
◧◩
7. lagadu+U9[view] [source] [discussion] 2019-10-04 09:09:43
>>Thorre+r7
The "misconfiguration" he's talking about is on archive.is' part. Their configuration expects some specific server to have an optional functionality enabled, which it doesn't.
replies(1): >>Thorre+ka
◧◩◪◨
8. lagadu+Y9[view] [source] [discussion] 2019-10-04 09:10:33
>>cnst+h9
"Was not meant" means nothing. It's specified as optional because it's an extension mechanism.
◧◩◪
9. Thorre+ka[view] [source] [discussion] 2019-10-04 09:14:52
>>lagadu+U9
Sorry, I don't understand. I was referring to this quote:

> I think it's fair to say your site is just offline for some users due to a config mistake.

Archive.is is not making an accidental mistake. Archive.is is behaving very intentionally. They've said so on Twitter. And I believe profmonocle agrees with me on that point.

replies(1): >>jgraha+Kz
◧◩
10. Stream+Kd[view] [source] [discussion] 2019-10-04 10:08:30
>>Thorre+r7
And I agree with that as a Cloudflare customer. In fact if this was a paid feature I would pay for it.

Just to give you more insight. Google knows which IP address I am using Gmail from. If I use 8.8.8.8 they know what other content I am looking for which websites I visit and tie that to my account. If I use something like Cloudflare who do not expose my IP (or range) then I achieved more privacy. I could use my local DNS server (like I do at home) but I travel a lot.

In this case "misconfiguration" is actually for privacy and archive.is could live with that just like other sites but they intentionally screw with Cloudflare (aka the users who has 1.1.1.1 as the resolver).

11. akvadr+ph[view] [source] 2019-10-04 10:59:24
>>profmo+(OP)
EDNS is from 1999

https://tools.ietf.org/html/rfc2671

◧◩
12. doogli+8k[view] [source] [discussion] 2019-10-04 11:44:43
>>Thorre+r7
Do you have a source for this?
replies(2): >>Godel_+su >>Thorre+h42
13. throw0+Ul[view] [source] 2019-10-04 12:06:47
>>profmo+(OP)
Another interpretation of the Law by Mark Crispin, father of IMAP:

  This statement is based upon a terrible misunderstand of Postel's
  robustness principle. I knew Jon Postel. He was quite unhappy with
  how his robustness principle was abused to cover up non-compliant
  behavior, and to criticize compliant software.

  Jon's principle could perhaps be more accurately stated as "in general,
  only a subset of a protocol is actually used in real life. So, you should
  be conservative and only generate that subset. However, you should also
  be liberal and accept everything that the protocol permits, even if it
  appears that nobody will ever use it."
* https://groups.google.com/d/msg/comp.mail.pine/E5ojND1L4u8/i...

Further discussion on the topic:

* https://news.ycombinator.com/item?id=9824638

◧◩◪
14. Godel_+su[view] [source] [discussion] 2019-10-04 13:14:19
>>doogli+8k
https://mobile.twitter.com/archiveis/status/1018691421182791...
replies(1): >>doogli+pK
◧◩◪◨
15. jgraha+Kz[view] [source] [discussion] 2019-10-04 13:48:08
>>Thorre+ka
And Cloudflare would happily talk to archive.is to come up with a solution.
◧◩◪◨
16. doogli+pK[view] [source] [discussion] 2019-10-04 14:50:52
>>Godel_+su
I've seen that, it doesn't really clarify whether the block singles out cloudflare in particular, or whether cloudflare is the only (significant) DNS resolver that the block happens to affect.
◧◩◪
17. Thorre+h42[view] [source] [discussion] 2019-10-05 01:55:40
>>doogli+8k
Sources for archive.is blocking Cloudflare's datacenters:

The exact same command fails when sent from Cloudflare's datacenters, but succeeds when sent from DigitalOcean:

https://community.cloudflare.com/t/archive-is-error-1001/182...

Two more sources:

https://news.ycombinator.com/item?id=19830258

https://news.ycombinator.com/item?id=19829036

[go to top]