Well we could ask them to implement EDNS correctly let alone DNSSEC. The following query should succeed but doesn't. dig www.ietf.org.cdn.cloudflare.net @www.ietf.org.cdn.cloudflare.net +edns=1 There are no sane reasons to block EDNS negotiation. Similarly there is no sane reason to drop EDNS queries with a Z flag bit set. The following query also times out (requires dig from BIND 9.11.0 or later). dig www.ietf.org.cdn.cloudflare.net @www.ietf.org.cdn.cloudflare.net +ednsflags=0x80 Dropping either +edns=1 or +ednsflags=0x80 results in a successful EDNS query. The expected behaviour for both of these queries is well defined for EDNS(0) servers. Return BADVERS for +edns=1 and ignore the flag bit in the request. If you let EDNS version 0 queries through a firewall there is zero reasons to block either of these queries. Mark In message <823592EC-DF0E-4680-8C51-FF9EECCCDF5A@xxxxxxxxxxxxxxx>, David Conrad writes: > > --Apple-Mail=_EE86F3A2-D263-4FF4-A325-9451DF4B0FF1 > Content-Transfer-Encoding: quoted-printable > Content-Type: text/plain; > charset=windows-1252 > > On Sep 17, 2014, at 1:22 PM, Ross Finlayson <finlayson@xxxxxxxxxxx> = > wrote: > > On Sep 17, 2014, at 8:56 AM, David Conrad <drc@xxxxxxxxxxxxxxx> wrote: > >> If a connection attempt is made to a CloudFlare customer from a = > source IP address used in an attack, that connection is thrown over to a = > CAPTCHA. > > Can the IETF not be trusted to secure it's own server(s)? =20 > > Sure. How much do you want to spend? > > > Why have we contracted to a 3rd party that chooses to act as a = > 'Nanny=92? > > Odd phrasing. It=92s a feature of the service CloudFlare sells. It is = > (or was, haven=92t looked in a number of years) tunable. > > Regards, > -drc > > > --Apple-Mail=_EE86F3A2-D263-4FF4-A325-9451DF4B0FF1 > Content-Transfer-Encoding: 7bit > Content-Disposition: attachment; > filename=signature.asc > Content-Type: application/pgp-signature; > name=signature.asc > Content-Description: Message signed with OpenPGP using GPGMail > > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - https://gpgtools.org > > iQEcBAEBCgAGBQJUGfaGAAoJENV6ebf0/4rXphoIAOcl/sYFFinEcSFBBRXPtQPE > OwAGZikILbgninZ7P8ElJVQz5SkhBcAitz/UgjuGWQUxzogMV8N6RywQLQPsufXe > XjfWDu/9NtETWA/B3rcOW6ga3frq9YlGZcb1BTe/gBrfoEbY/AMWaUWnVUrwz3eI > E76uR4iKMyJO71FOWob8HwCxUuvX0kHLF05Cyt40+GFlOEhkdekXiHsCEw1/rBHO > rON4PRpmhUzE7CC7QJiQhzliZI6+FQBIcH/fUtwJrg9BTY3i1bbsSzQ37SPLOVIf > uSdby19cWaKvZeSkw5ecRiFEYbqe9pFyyYRvdRVA4LzXaLZVhgrUk80tsoL19Js= > =p2mY > -----END PGP SIGNATURE----- > > --Apple-Mail=_EE86F3A2-D263-4FF4-A325-9451DF4B0FF1-- > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx