Comment by akerl_
7 years ago
That’s not an accurate read of archive.is’s behavior. EDNS is an optional feature.
archive.is has configured their nameservers to return invalid (127.0.0.0/8, from the looks of it) responses to Cloudflare requests because they’re protesting Cloudflare’s lack of EDNS, not because EDNS is somehow required to handle the requests.
For context: EDNS sends the origin IP address of the DNS client through the resolver. Cloudflare has it disabled because of the privacy implications of sending it along.
The right thing for cloudflare to do then is fake the EDNS field so that they get a valid response.
Maybe cloudflare doesn't want to code an ad-hoc solution just to fix one site. But that doesn't matter to the customer, who just wants it to work.
This diverges pretty hard from your earlier comparison, between this scenario and the Linux kernel breaking userspace.
If a dev updates their code so it won’t run unless an kernel flag is enabled, the kernel hasn’t broken userspace, and kernel devs are unlikely to add a “fake-enabled-flag” to trick the userspace program, even if it’s popular.
Likewise, I don’t expect my DNS resolver to add in custom behavior if upstream DNS servers make breaking changes like this. In fact, I very much prefer the opposite: my DNS service should be as dumb as possible. I don’t want it making choices about how to modify DNS queries I do, or their results.
If an upstream site broke their DNSSEC config, would you lobby for Cloudflare to modify the results so resolution succeeded for their users?
Besides, my reading is:
Every other resolver supports EDNS
Archive.is only works with resolvers that support EDNS
Cloudflare decided not to support EDNS
That itself is a defendable decision but I do feel for a popular site they could implement some sort of fix.
4 replies →
If every other resolver works, then I expect Cloudflare to work.
The kernel hardcodes plenty of hacky things to get specific hardware to work.
1 reply →