--- Begin Message ---
Vladimír, Petr,
Thank you for the insight, we’ll inform the domain owners and and after a grace
period turn on the rfc8198 style validation again.
Best Regards,
Ruben
> On 8 Sep 2021, at 14:37, Vladimír Čunát <[email protected]> wrote:
>
> Hello.
>
> On 08/09/2021 11.12, Ruben van Staveren via dns-operations wrote:
>> should we do more analysis of this phenomenon and even have a dns flag day
>> before even more resolvers and operators are going to implement RFC8198?
>> There might be an issue by deliberately exploiting this and make
>> websites/mail unreachable.
> Measuring how much this happens might be nice (or similar problems), but I
> don't think it will be worth a flag day. Aggressive resolvers have been
> deployed for years, and it apparently hasn't caused that much trouble.
>
> As for possibility of exploitation... experience (e.g. with F5) shows that
> some parties just won't fix stuff until there's significant pressure. I'd
> think that now the "gradient" for this is that operators should deploy
> aggressive caching instead of delaying, and that will help cleaning up this
> behavior (which has been non-compliant since RFC 4034+, not since 8198).
>
> --Vladimir | knot-resolver.cz
>
signature.asc
Description: Message signed with OpenPGP
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
