Case randomization recently disabled?


#1

1.1.1.1 always randomized the capitalization in queries to authoritative servers, in line with draft-vixie-dnsext-dns0x20-00. As far as I know, it’s the default behavior of Knot Resolver, though it can be deactivated by the workarounds module when necessary.

Of late, though, all the queries to all my authoritative servers are in lowercase.

$ dig +short qname.lua.mattnordhoff.net txt @one.one.one.one
qnameqnameqnameqnameqnameqnameqnameqnameqnameqnameqname.lua-e-g.mn9.us.
"qnameqnameqnameqnameqnameqnameqnameqnameqnameqnameqname.lua-e-g.mn9.us"

(It’s a Lua record that reflects the query name.)

Can I ask what changed? Is it detecting a problem with my nameservers, Knot and PowerDNS? Did you turn it off globally? If so, why? Too many problems?

(If it’s the CommunityDNS lowercase TCP thing, they fixed it a few days ago.)

I’m partly asking because I think random capitalization is cool, even though whether it’s a good idea is debatable. :smile: But I’d also like to know if there’s a widespread problem with it.


#2

:wave: @mnordhoff we made the 0x20 opt-in rather than opt-out recently because there’s too many domains broken in various ways when 0x20 is used, and it costs precious time for resolver to figure out 0x20 is the cause. The 0x20 is generally useful at or below the SLD level when the length of the name has enough useful entropy, but that also makes it difficult to deploy due to the number of different nameservers below the TLD. Before we bring it back, we’ll have to revise the resolver strategy to prefer secure transport, and if it’s not available and the zone is not signed, only then we’ll try to probe for 0x20 support.


#3

Thanks for explaining! :smiley: I’m sad but it’s definitely understandable. I’m glad you haven’t given up entirely.

Unbound has its whole fallback strategy, but it’s not foolproof. Probing sounds interesting.

(Just today a Let’s Encrypt user had problems because of a nameserver that responds to non-lowercase queries with a root referral. DNS is an adventure.)