In message <20160413135720.0504d...@pallas.home.time-travellers.org>, Shane Ker r writes: > Ray, > > At 2016-04-13 12:06:25 +0100 > Ray Bellis <r...@bellis.me.uk> wrote: > > > On 13/04/2016 12:01, Shane Kerr wrote: > > > > > A third answer which falls outside of any of the current proposals is > > > that there should be a way to document what the capabilities of an > > > authority server are explicitly. If only there was a way to store > > > meta-data about hosts in some sort of distributed database... ;) > > > > If only NAT and load-balancers didn't break the assumption that a single > > IP address refers to a unique host with consistent behaviour... :p > > > > [I'm aware of at least one major DNS operator that runs heterogenous DNS > > clusters behind a single IP] > > Sure, it's quite common. > > This could cause problems as people upgraded software in their cluster > where some of the servers support the multiple QTYPE option and others > do not.
Not really provided you can determine if the query was answered by a server that supported the extension or not. The client can just retry with multiple queries if the response indicates that the extension is not supported. Whats difficult is determining if a extension is supported or not when DNS vendors do not follow the RFCs which are designed to make the determination of whether a extension is supported or not easy. If your servers fail any of the tests in draft-ietf-dnsop-no-response-issue you are part of the problem. If you are a vendor with a product that fails any of the tests in draft-ietf-dnsop-no-response-issue please issue a CVE for that product so that users can be informed that they need to upgrade. > Probably a sentence in the specification should warn about that, and > release notes from implementors should warn operators about this case. > Something like: > > "If a single IP address sometimes answers without support for the > option, then this option should be disabled for all servers > answering from that IP address. Implementors SHOULD have a way to > disable the option, to support this case." > > Since nobody is perfect, on the resolver side one would need to detect > the single-IP-mixed-capabilities case and downgrade the capabilities > tracked for the authority server. This implies that authority servers > MUST include some sort of option to indicate support for multiple QTYPE > in every reply, even if there is a single QTYPE. > > (Note that this is orthogonal to how the resolver learns about the > support, whether it infers it from EDNS signaling or gets it from an RR > or whatever.) > > Cheers, > > -- > Shane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
