+1 to Alan. While I work at an ivory tower and support Mark's mission, in practice I don't have operational time (nor is it necessarily the best use of my time) to maintain a per-ip bypass.
100% in support of enabling this by default as long as their as an option to disable. -Michael > -----Original Message----- > From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark > Andrews > Sent: Tuesday, February 07, 2017 4:32 PM > To: Reindl Harald <h.rei...@thelounge.net> > Cc: bind-us...@isc.org > Subject: Re: Enforce EDNS > > > In message <4b0243b1-1c89-023b-f3f3-7279216d5...@thelounge.net>, Reindl > Harald > writes: > > > > > > Am 07.02.2017 um 22:11 schrieb Mark Andrews: > > > In message <3836f038-c480-9970-fd53-a5c87ad36...@thelounge.net>, > Reindl Har > > ald wr > > > ites: > > >>> Break them. That's the only way it will eventually get fixed > > >> > > >> if things would be that easy.... > > >> > > >> the admins of the broken servers ar the very last which are affected, > > >> admins with a recent named have to bite the bullet of user terror and > > >> users typically don#t give a damn when it worked yesterday > > >> > > >> the admins of the broken server don't give a damn about as long they can > > >> point their fingers and say "look, the rest of the world has no lookup > > >> errors" > > >> > > >> if it would be that easy the problem of spam would not exist for many > > >> years while in reality you waste most of our time to write exceptions > > >> here and there, disable rules or score them lower because you are not in > > >> the position to educate every admin of sending servers out there > > > > > > You go over the admins head. You go to the board of directors. > > > You go the the minister responsible (yes, I have had to do that > > > along with a copy to the shadow minister and the company that the > > > DNS was outsourced to for government domains). Good old snail mail > > > > if *you* do that from your position it may work but still takes time in > > a world where it somestimes takes days and weeks to find somebody who > > can instruct a admin to change a simple CNAME record from machine A to > > machine B even with the directors OK and CC'ed in the message > > And you can fix the issue by hand while this is going on. > > server 74.113.204.34 { send-cookie false; }; > server 74.113.206.34 { send-cookie false; }; > server 117.56.91.203 { send-cookie false; }; > server 117.56.91.204 { send-cookie false; }; > server 117.56.91.234 { send-cookie false; }; > server 199.252/16 { send-cookie false; }; > > (or request-sit no; for 9.10.x) > > There aren't lots of servers that drop EDNS or drop EDNS + DNS COOKIE. > > The big numbers are those that drop EDNS(1) which no one is using at > this stage. See http://ednscomp.isc.org/ > > > i doubt it works the same way for a ordinary admin in a small company > > where you to make it work because *you* broke it with the named update > > and so your advise will be "roll back that stuff to the state of > > yesterday where it worked and no you have not the free time to call each > > and every company and educate them" > > > > problem here is that as long it's not a critical mass anybody who > > deployed the update breaking things have to bleed for it and so you have > > to find enough people with the power to go over admins head *before* the > > breaking updates > > > > and no, when in your company people can't work because DNS is broken you > > don't call foreign admins and directors - you have to fix that *now* and > > after you have fixed it you have no longer arumgents why call somebody > > with no direct relations > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe > > from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from > this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
