Florian Weimer writes: > How would a DoH client know that the recursive resolver is “forbidden > to forward” ECS data?
It doesn't know clearly. All it knows is that if it gets REFUSED when it sends a prefix outside its own address space, then something was wrong. If that then succeeds it can only be inferred that the specified network was the problem. On a meta level, it is the case that there are contractual relationships that forbid the forwarding in general and independent of DoH, such as the long standing agreement between Google to Akamai. > Do clients have to retry without ECS if they get a REFUSED response > now? That looks like bad protocol design. Yes and yes. It is one of my major complaints about the original ECS specification as it was independently pushed into the wild after the original IETF blowback basically put it off the path of getting a thorough review. Not overloading REFUSED surely would have been an early revision. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
