In message <5658652f.2080...@bellis.me.uk>, Ray Bellis writes: > > > On 27/11/2015 13:16, Paul Wouters wrote: > > RFC 1122: "Be liberal in what you accept, and conservative in what you > > send"). > > > > It's cute, but it will lead to interop issues. It will also make > > debugging more annoying for humans. > > See also draft-thomson-postel-was-wrong-00 > > <https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00> > > Ray
DNSSEC only says the signature should stay together with the data. It does not specify the order of the data and the signatures as far as I have seen. As for being liberal in what you accept when it is out of spec, that often causes more problems that it fixes. It's also hard to wind back if you want to make things more strict. We fixed a bug which allowed us to start correctly rejecting non "aa=1" responses and we had to start re-accepting them as high profile servers were failing to set "aa=1" on all their servers. Then you have Panodra.tv's DNS servers which are absolute pieces of garbage spewing out non compliant answers but if you start rejecting them there is all hell to pay. They don't do DNS or EDNS. % dig pandora.tv ns @61.111.8.236 +noad +noedns ; <<>> DiG 9.11.0pre-alpha <<>> pandora.tv ns @61.111.8.236 +noad +noedns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51035 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: Message has 27 extra bytes at end ;; QUESTION SECTION: ;pandora.tv. IN NS ;; ANSWER SECTION: pandora.tv. 300 IN NS n1.pandora.tv. pandora.tv. 300 IN NS n2.pandora.tv. pandora.tv. 300 IN NS n5.pandora.tv. pandora.tv. 300 IN NS n6.pandora.tv. pandora.tv. 300 IN NS n7.pandora.tv. ;; Query time: 218 msec ;; SERVER: 61.111.8.236#53(61.111.8.236) ;; WHEN: Sat Nov 28 09:12:32 EST 2015 ;; MSG SIZE rcvd: 140 % dig pandora.tv ns @61.111.8.236 +nocookie ;; Got bad packet: FORMERR 140 bytes 8c 39 85 a0 00 01 00 05 00 00 00 01 07 70 61 6e .9...........pan 64 6f 72 61 02 74 76 00 00 02 00 01 c0 0c 00 02 dora.tv......... 00 01 00 00 01 2c 00 05 02 6e 31 c0 0c c0 0c 00 .....,...n1..... 02 00 01 00 00 01 2c 00 05 02 6e 32 c0 0c c0 0c ......,...n2.... 00 02 00 01 00 00 01 2c 00 05 02 6e 35 c0 0c c0 .......,...n5... 0c 00 02 00 01 00 00 01 2c 00 05 02 6e 36 c0 0c ........,...n6.. c0 0c 00 02 00 01 00 00 01 2c 00 05 02 6e 37 c0 .........,...n7. 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 ............ % Now if we just start rejecting this garbage there will lots of complaints but servers like this should just be wiped off the net. Mark > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
