I mispoke. ENOCOFFEE That said there is still no logical reason to block EDNS version 1 queries or queries with Z flag bits set. Mark In message <20140917223020.BD8E01FAE299@xxxxxxxxxxxxxxx>, Mark Andrews writes: > > Well we could ask them to implement EDNS correctly let alone DNSSEC. > The following query should succeed but doesn't. > > dig www.ietf.org.cdn.cloudflare.net @www.ietf.org.cdn.cloudflare.net +edns=1 > > There are no sane reasons to block EDNS negotiation. > > Similarly there is no sane reason to drop EDNS queries with a Z flag bit set. > The following query also times out (requires dig from BIND 9.11.0 or later). > > dig www.ietf.org.cdn.cloudflare.net @www.ietf.org.cdn.cloudflare.net +ednsfla > gs=0x80 > > Dropping either +edns=1 or +ednsflags=0x80 results in a successful EDNS query > . > > The expected behaviour for both of these queries is well defined for EDNS(0) > servers. Return BADVERS for +edns=1 and ignore the flag bit in the request. > > If you let EDNS version 0 queries through a firewall there is zero reasons to > block either of these queries. > > Mark > > In message <823592EC-DF0E-4680-8C51-FF9EECCCDF5A@xxxxxxxxxxxxxxx>, David Conr > ad > writes: > > > > --Apple-Mail=_EE86F3A2-D263-4FF4-A325-9451DF4B0FF1 > > Content-Transfer-Encoding: quoted-printable > > Content-Type: text/plain; > > charset=windows-1252 > > > > On Sep 17, 2014, at 1:22 PM, Ross Finlayson <finlayson@xxxxxxxxxxx> = > > wrote: > > > On Sep 17, 2014, at 8:56 AM, David Conrad <drc@xxxxxxxxxxxxxxx> wrote: > > >> If a connection attempt is made to a CloudFlare customer from a = > > source IP address used in an attack, that connection is thrown over to a = > > CAPTCHA. > > > Can the IETF not be trusted to secure it's own server(s)? =20 > > > > Sure. How much do you want to spend? > > > > > Why have we contracted to a 3rd party that chooses to act as a = > > 'Nanny=92? > > > > Odd phrasing. It=92s a feature of the service CloudFlare sells. It is = > > (or was, haven=92t looked in a number of years) tunable. > > > > Regards, > > -drc > > > > > > --Apple-Mail=_EE86F3A2-D263-4FF4-A325-9451DF4B0FF1 > > Content-Transfer-Encoding: 7bit > > Content-Disposition: attachment; > > filename=signature.asc > > Content-Type: application/pgp-signature; > > name=signature.asc > > Content-Description: Message signed with OpenPGP using GPGMail > > > > -----BEGIN PGP SIGNATURE----- > > Comment: GPGTools - https://gpgtools.org > > > > iQEcBAEBCgAGBQJUGfaGAAoJENV6ebf0/4rXphoIAOcl/sYFFinEcSFBBRXPtQPE > > OwAGZikILbgninZ7P8ElJVQz5SkhBcAitz/UgjuGWQUxzogMV8N6RywQLQPsufXe > > XjfWDu/9NtETWA/B3rcOW6ga3frq9YlGZcb1BTe/gBrfoEbY/AMWaUWnVUrwz3eI > > E76uR4iKMyJO71FOWob8HwCxUuvX0kHLF05Cyt40+GFlOEhkdekXiHsCEw1/rBHO > > rON4PRpmhUzE7CC7QJiQhzliZI6+FQBIcH/fUtwJrg9BTY3i1bbsSzQ37SPLOVIf > > uSdby19cWaKvZeSkw5ecRiFEYbqe9pFyyYRvdRVA4LzXaLZVhgrUk80tsoL19Js= > > =p2mY > > -----END PGP SIGNATURE----- > > > > --Apple-Mail=_EE86F3A2-D263-4FF4-A325-9451DF4B0FF1-- > > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx