Hello DNSOP,
In draft-ietf-dnsop-structured-dns-error, there’s a description of how clients
should indicate that they understand extended DNS errors (EDE) by sending an
empty EDE option.
https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-02.html#name-client-generating-request
This is something that makes a lot of sense to me, and provides a great way to
indicate that a client would prefer to receive proper blocked/filtered errors
(with possible extra text) as opposed to a forged answer.
However, in testing this out, I’m seeing inconsistent compatibility with some
public resolvers. I was testing enabling this for encrypted resolvers only, and
I see the following behavior for a sampling of resolvers using DoH:
1.1.1.1 - NOERROR, works fine!
9.9.9.9 - NOERROR, works fine!
8.8.8.8 - FORMERR on all responses
dns.adguard-dns.com - SERVFAIL on all responses
Do we think that this should be allowed in queries (and thus this is a bug in
resolvers like 8.8.8.8 or AdGuard)? Or is there a problem with the approach
this document is suggesting?
Best,
Tommy
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
