Page MenuHomePhabricator

ssingh (Sukhbir Singh)
OK Computer

Projects

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Sunday

  • Clear sailing ahead.

User Details

User Since
Dec 11 2018, 9:39 PM (116 w, 2 d)
Availability
Available
IRC Nick
sukhe
LDAP User
Unknown
MediaWiki User
SSingh (WMF) [ Global Accounts ]

SRE/Traffic

Recent Activity

Tue, Mar 2

ssingh added a comment to T274605: Top read is showing one page that had fake traffic in zhwiki.

Hi @JAllemandou: thanks, I think proceeding through Wikimedia Taiwan as @Shizhao mentioned is probably a good idea. In the meantime, I will ask for a contact in the community and also if the partnerships team has some idea (we have asked for their help in the recent past with a similar issue).

Tue, Mar 2, 4:54 PM · Wikimedia Taiwan, Analytics, Chinese-Sites, Pageviews-Anomaly, Product-Infrastructure-Team-Backlog

Wed, Feb 24

ssingh created T275696: decommission cescout1001.eqiad.wmnet.
Wed, Feb 24, 9:04 PM · SRE, Traffic, decommission-hardware

Mon, Feb 22

ssingh added a comment to T275234: TATA SKY Broadband (AS134674) issues with connecting to upload.wikimedia.org.

We decided to file https://github.com/citizenlab/test-lists/pull/730 so that we can get some test data.

Mon, Feb 22, 8:02 PM · SRE, netops, Traffic
ssingh added a comment to T275409: Create and document Wikidough's privacy policy.

For reference, https://wiki.mozilla.org/Security/DOH-resolver-policy has links to the privacy policies of the Mozilla-approved resolvers.

Mon, Feb 22, 7:46 PM · SRE, Traffic
ssingh updated subscribers of T275409: Create and document Wikidough's privacy policy.
Mon, Feb 22, 4:54 PM · SRE, Traffic
ssingh added a subtask for T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver: T275409: Create and document Wikidough's privacy policy.
Mon, Feb 22, 4:54 PM · Patch-For-Review, SRE, Traffic
ssingh added a parent task for T275409: Create and document Wikidough's privacy policy: T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver.
Mon, Feb 22, 4:53 PM · SRE, Traffic
ssingh created T275409: Create and document Wikidough's privacy policy.
Mon, Feb 22, 4:53 PM · SRE, Traffic

Sun, Feb 21

ssingh updated ssingh.
Sun, Feb 21, 4:48 PM
ssingh updated ssingh.
Sun, Feb 21, 4:48 PM

Tue, Feb 16

ssingh added a comment to T274914: Reducing logging levels when running a Hive query.

I edited the task but I wanted to add here as well that this happens when I run the Hive query from Spark.

Tue, Feb 16, 7:20 PM · Analytics
ssingh added a comment to T274823: Big increase in traffic for projects except 'wikipedia' family since Feb 14th.

Thanks for opening this task, Marcel.

Tue, Feb 16, 7:18 PM · Analytics-Radar, Product-Analytics (Kanban)
ssingh updated the task description for T274914: Reducing logging levels when running a Hive query.
Tue, Feb 16, 6:53 PM · Analytics
ssingh created T274914: Reducing logging levels when running a Hive query.
Tue, Feb 16, 5:43 PM · Analytics

Wed, Feb 10

ssingh moved T274431: Wikidough: Support EDNS(0) Padding: RFC 7830 and RFC 8467 from Triage to DNS Infra on the Traffic board.
Wed, Feb 10, 9:18 PM · SRE, Traffic
ssingh added a subtask for T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver: T274431: Wikidough: Support EDNS(0) Padding: RFC 7830 and RFC 8467.
Wed, Feb 10, 9:14 PM · Patch-For-Review, SRE, Traffic
ssingh added a parent task for T274431: Wikidough: Support EDNS(0) Padding: RFC 7830 and RFC 8467: T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver.
Wed, Feb 10, 9:14 PM · SRE, Traffic
ssingh created T274431: Wikidough: Support EDNS(0) Padding: RFC 7830 and RFC 8467.
Wed, Feb 10, 9:13 PM · SRE, Traffic

Tue, Feb 9

ssingh added a comment to T273741: Investigate unusual media traffic pattern for AsterNovi-belgii-flower-1mb.jpg on Commons.

Thank you for the interest in this task! Like we shared yesterday, we have identified that the traffic is coming from a popular mobile app in India. We have initiated contact with the app developers, and are waiting to hear back from them. In the meantime, given the volume of requests, we have decided to ban those specific requests until the issue is resolved. While we will refrain from naming the app at this time, we can share that it is not on the list of apps mentioned in this task. Nevertheless, we thank you for your comments and suggestions on how to debug this!

Tue, Feb 9, 5:17 PM · Patch-For-Review, Commons, Traffic, SRE
ssingh added a comment to T273741: Investigate unusual media traffic pattern for AsterNovi-belgii-flower-1mb.jpg on Commons.

Thank you everyone for the comments and suggestions. I just wanted to share that we have identified the app and will update this task tomorrow. (And yes, it is a mobile app.)

Tue, Feb 9, 3:29 AM · Patch-For-Review, Commons, Traffic, SRE

Mon, Feb 8

ssingh added a comment to T273741: Investigate unusual media traffic pattern for AsterNovi-belgii-flower-1mb.jpg on Commons.

Could it be this app?

https://apps.apple.com/hk/app/iclass-corporate/id1439400748?l=en

The picture appears in a screenshot...

Mon, Feb 8, 11:14 PM · Patch-For-Review, Commons, Traffic, SRE
ssingh added a comment to T273741: Investigate unusual media traffic pattern for AsterNovi-belgii-flower-1mb.jpg on Commons.

I found several places where this URL is being used in sample code, which might have been picked up by somebody and built into an app:

https://stackoverflow.com/questions/18586466/foursqaure-photo-add-against-checkin
https://stackoverflow.com/questions/18232898/node-js-http-get-with-node-js-step-module
https://html.developreference.com/article/14455997/Downloading+image+from+the+web+with+imagemagick+and+saving+to+parse

seems like this particular flower has been kicking around as a sample image for quite a few years.

Mon, Feb 8, 11:14 PM · Patch-For-Review, Commons, Traffic, SRE

Feb 2 2021

ssingh triaged T273679: Wikidough: Upgrade to dnsdist 1.6.0 as Medium priority.
Feb 2 2021, 9:36 PM · SRE, Traffic
ssingh moved T273679: Wikidough: Upgrade to dnsdist 1.6.0 from Triage to DNS Infra on the Traffic board.
Feb 2 2021, 9:36 PM · SRE, Traffic
ssingh added a subtask for T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver: T273679: Wikidough: Upgrade to dnsdist 1.6.0.
Feb 2 2021, 9:35 PM · Patch-For-Review, SRE, Traffic
ssingh added a parent task for T273679: Wikidough: Upgrade to dnsdist 1.6.0: T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver.
Feb 2 2021, 9:35 PM · SRE, Traffic
ssingh created T273679: Wikidough: Upgrade to dnsdist 1.6.0.
Feb 2 2021, 9:34 PM · SRE, Traffic

Jan 29 2021

ssingh closed T273322: Disable broken security update polling for dnsdist, a subtask of T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver, as Resolved.
Jan 29 2021, 8:42 PM · Patch-For-Review, SRE, Traffic
ssingh closed T273322: Disable broken security update polling for dnsdist as Resolved.

Change merged and tested; broken security polling is now disabled.

Jan 29 2021, 8:42 PM · SRE, Traffic
ssingh added a subtask for T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver: T273322: Disable broken security update polling for dnsdist.
Jan 29 2021, 8:19 PM · Patch-For-Review, SRE, Traffic
ssingh added a parent task for T273322: Disable broken security update polling for dnsdist: T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver.
Jan 29 2021, 8:19 PM · SRE, Traffic
ssingh created T273322: Disable broken security update polling for dnsdist.
Jan 29 2021, 8:18 PM · SRE, Traffic

Jan 15 2021

ssingh added a comment to T269256: Story Idea for Blog: Automated detection of wikipedia censorship events .

Thanks, @ssingh! I've addressed these issues. I did have to replace the formula with an actual image, as the formatting was not copying over from the doc, and I wasn't able to format it correctly as text in the blog. Let me know if this looks okay to you!

Jan 15 2021, 6:40 PM · Technical-blog-posts
ssingh added a comment to T269256: Story Idea for Blog: Automated detection of wikipedia censorship events .

@Nuria This is published! https://techblog.wikimedia.org/2021/01/15/censorship-outages-and-internet-shutdowns-monitoring-wikipedias-accessibility-around-the-world/

Can you take a look and let me know if everything looks good to you and if there is anything that needs correction?

Once I have your go ahead, I'll announce it more widely.

Jan 15 2021, 5:07 PM · Technical-blog-posts

Jan 6 2021

ssingh added a comment to T263030: Make data quality stats alert only if anomalous metrics change.

@ssingh @elukey

I've been looking into this a bit and have had some second thoughts.

Jan 6 2021, 9:28 PM · Analytics

Jan 4 2021

ssingh closed T267424: Integration tests for Wikidough as Resolved.

With https://gerrit.wikimedia.org/r/639838 merged, I am going to mark this as resolved as the first iteration of the test suite for Wikidough is now complete.

Jan 4 2021, 2:39 PM · Traffic, SRE
ssingh closed T267424: Integration tests for Wikidough, a subtask of T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver, as Resolved.
Jan 4 2021, 2:38 PM · Patch-For-Review, SRE, Traffic

Dec 17 2020

ssingh assigned T270434: Update admin password for Wikimedia-MA mailing list to RLazarus.
Dec 17 2020, 8:58 PM · SRE-Access-Requests, SRE, Wikimedia-Mailing-lists

Dec 15 2020

ssingh added a comment to T268850: Provide python 3.8 in CI test images.

Hi, thanks for your work on this task! Is my understanding correct that this blocks on T241195?

Dec 15 2020, 4:56 PM · Release-Engineering-Team (CI & Testing services), Continuous-Integration-Infrastructure

Dec 8 2020

ssingh updated ssingh.
Dec 8 2020, 11:09 PM

Dec 7 2020

ssingh closed T269610: Requesting access to Analytics Data for Michael Große (WMDE) as Resolved.

Thanks @Dzahn for th review and the additional context.

Dec 7 2020, 10:11 PM · SRE, SRE-Access-Requests
ssingh updated the task description for T269610: Requesting access to Analytics Data for Michael Große (WMDE).
Dec 7 2020, 7:47 PM · SRE, SRE-Access-Requests
ssingh claimed T269610: Requesting access to Analytics Data for Michael Große (WMDE).
Dec 7 2020, 7:37 PM · SRE, SRE-Access-Requests
ssingh closed T269444: Requesting access to Analytics Data for Jakob_WMDE as Resolved.

Hi @Jakob_WMDE: This request has been merged and you should have received an email with the Kerberos password. Please let us know if there are any issues. Thanks!

Dec 7 2020, 3:41 PM · SRE, SRE-Access-Requests
ssingh closed T269472: Kerberos Password as Resolved.

Hi @Swagoel: You should have received an email with the Kerberos password. Please let us know if there are any issues, thanks!

Dec 7 2020, 12:09 PM · SRE, SRE-Access-Requests, Analytics
ssingh added a comment to T269472: Kerberos Password.

(Additional context: T267314).

Dec 7 2020, 12:04 PM · SRE, SRE-Access-Requests, Analytics
ssingh claimed T269472: Kerberos Password.
Dec 7 2020, 12:03 PM · SRE, SRE-Access-Requests, Analytics

Dec 4 2020

ssingh closed T269365: Onboarding Genoveva, access request to ldap/wmf as Resolved.

Request has been merged and user has been added to the wmf group. Please reopen if there are any issues. Thanks!

Dec 4 2020, 5:16 PM · SRE, LDAP-Access-Requests
ssingh added a comment to T269444: Requesting access to Analytics Data for Jakob_WMDE.

APPROVED!

Dec 4 2020, 2:58 PM · SRE, SRE-Access-Requests
ssingh updated the task description for T269444: Requesting access to Analytics Data for Jakob_WMDE.
Dec 4 2020, 2:44 PM · SRE, SRE-Access-Requests
ssingh closed T269327: Please create testing-infrastructure mailing list as Resolved.

The requested mailing list has been created. Marking this as resolved but please reopen if there are any issues. Thanks!

Dec 4 2020, 2:42 PM · SRE-Access-Requests, SRE, Wikimedia-Mailing-lists
ssingh claimed T269444: Requesting access to Analytics Data for Jakob_WMDE.
Dec 4 2020, 1:30 PM · SRE, SRE-Access-Requests

Dec 3 2020

ssingh added a comment to T269327: Please create testing-infrastructure mailing list.

The list testing-infrastructure has been created and you should have received an email.

Dec 3 2020, 10:16 PM · SRE-Access-Requests, SRE, Wikimedia-Mailing-lists
ssingh added a project to T269327: Please create testing-infrastructure mailing list: SRE-Access-Requests.
Dec 3 2020, 9:26 PM · SRE-Access-Requests, SRE, Wikimedia-Mailing-lists
ssingh claimed T269327: Please create testing-infrastructure mailing list.
Dec 3 2020, 9:25 PM · SRE-Access-Requests, SRE, Wikimedia-Mailing-lists
ssingh added a comment to T269365: Onboarding Genoveva, access request to ldap/wmf.

@gengh: Access request merged; please let me know if there are any issues. Welcome!

Dec 3 2020, 8:57 PM · SRE, LDAP-Access-Requests
ssingh claimed T269365: Onboarding Genoveva, access request to ldap/wmf.
Dec 3 2020, 4:58 PM · SRE, LDAP-Access-Requests
ssingh closed T269284: Requesting access to Analytics Data for WMDE-leszek as Resolved.

Thanks for confirming!

Dec 3 2020, 4:40 PM · SRE-Access-Requests, SRE
ssingh closed T269351: Change production access ssh key for wmde-leszek as Resolved.

Key confirmed out-of-band; request merged. Thanks! Feel free to reopen if there are any issues.

Dec 3 2020, 2:27 PM · SRE, SRE-Access-Requests

Dec 2 2020

ssingh added a comment to T269284: Requesting access to Analytics Data for WMDE-leszek.

@WMDE-leszek: This request has been merged, you should have access! I will leave this task open for another day or so but please let me know if there are any issues. Thanks!

Dec 2 2020, 9:35 PM · SRE-Access-Requests, SRE
ssingh added a comment to T269284: Requesting access to Analytics Data for WMDE-leszek.

Change has been requested by a WMDE manager themselves (https://wikitech.wikimedia.org/wiki/SRE_Clinic_Duty#wmde_access) and approved by Andrew.

Dec 2 2020, 9:19 PM · SRE-Access-Requests, SRE
ssingh updated the task description for T269284: Requesting access to Analytics Data for WMDE-leszek.
Dec 2 2020, 9:11 PM · SRE-Access-Requests, SRE
ssingh updated the task description for T269284: Requesting access to Analytics Data for WMDE-leszek.
Dec 2 2020, 9:02 PM · SRE-Access-Requests, SRE
ssingh claimed T269284: Requesting access to Analytics Data for WMDE-leszek.
Dec 2 2020, 8:27 PM · SRE-Access-Requests, SRE

Nov 30 2020

ssingh updated subscribers of T268818: Publish Wikibase tarball releases on releases.wikimedia.org.

@thcipriani: Adding you to this task to see if you have any possible concerns about this request as it involves the use of the release servers. Thanks!

Nov 30 2020, 7:14 PM · SRE-Access-Requests, SRE, Patch-For-Review
ssingh closed T267771: LDAP access for Jan Jaquemot as Resolved.

Thanks for the confirmation Katie!

Nov 30 2020, 3:55 PM · SRE, LDAP-Access-Requests

Nov 26 2020

ssingh added a comment to T241195: Add python3.8 to buster-wikimedia pyall component.

Hi, just adding to this ticket here as I have a CI job failing that would be alleviated by fixing this issue (by specifying Python 3.8 as the interpreter): https://integration.wikimedia.org/ci/job/tox-docker/15602/console.

Nov 26 2020, 5:47 PM · serviceops, SRE
ssingh awarded T267355: Traffic anomaly alarms a Love token.
Nov 26 2020, 3:41 PM · Analytics-Kanban, Analytics
ssingh added a comment to T246682: [data quality alarms] Reduce the K to generate more reports.

Hi! Following up on these tickets now; sorry for the delay.

Nov 26 2020, 3:40 PM · Analytics

Nov 6 2020

ssingh added a subtask for T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver: T267424: Integration tests for Wikidough.
Nov 6 2020, 5:21 PM · Patch-For-Review, SRE, Traffic
ssingh added a parent task for T267424: Integration tests for Wikidough: T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver.
Nov 6 2020, 5:20 PM · Traffic, SRE
ssingh created T267424: Integration tests for Wikidough.
Nov 6 2020, 5:20 PM · Traffic, SRE

Oct 27 2020

WMDE-Fisch awarded T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver a Love token.
Oct 27 2020, 2:29 PM · Patch-For-Review, SRE, Traffic

Oct 6 2020

ssingh closed T263789: Wikidough: Upgrade to dnsdist 1.5.0 as Resolved.
sukhe@malmok:~$ /usr/bin/dnsdist --version
dnsdist 1.5.0 (Lua 5.2.4)
Oct 6 2020, 3:09 PM · Patch-For-Review, SRE, Traffic
ssingh closed T263789: Wikidough: Upgrade to dnsdist 1.5.0, a subtask of T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver, as Resolved.
Oct 6 2020, 3:09 PM · Patch-For-Review, SRE, Traffic
ssingh updated the task description for T263789: Wikidough: Upgrade to dnsdist 1.5.0.
Oct 6 2020, 3:07 PM · Patch-For-Review, SRE, Traffic

Oct 5 2020

ssingh added a comment to T263789: Wikidough: Upgrade to dnsdist 1.5.0.

Another important change in 1.5.0 is https://github.com/PowerDNS/pdns/pull/7138 [dnsdist/rec: Drop remaining capabilities after startup]. For our dnsdist instance, this is handled for dnsdist.conf and the TLS certs by the following:

Oct 5 2020, 5:21 PM · Patch-For-Review, SRE, Traffic
ssingh updated the task description for T263789: Wikidough: Upgrade to dnsdist 1.5.0.
Oct 5 2020, 11:54 AM · Patch-For-Review, SRE, Traffic

Oct 2 2020

ssingh added a comment to T263789: Wikidough: Upgrade to dnsdist 1.5.0.

For the DoH endpoints, we were already setting the paths explicitly (at https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/refs/heads/production/modules/dnsdist/templates/dnsdist.conf.erb#55) and also have /dns-query hardcoded (at https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/refs/heads/production/modules/dnsdist/manifests/init.pp#64), so no change is required for the upgrade.

Oct 2 2020, 8:52 PM · Patch-For-Review, SRE, Traffic
ssingh updated the task description for T263789: Wikidough: Upgrade to dnsdist 1.5.0.
Oct 2 2020, 8:48 PM · Patch-For-Review, SRE, Traffic
ssingh updated the task description for T263789: Wikidough: Upgrade to dnsdist 1.5.0.
Oct 2 2020, 8:06 PM · Patch-For-Review, SRE, Traffic

Oct 1 2020

ssingh added a comment to T264367: URL to redirect to upcoming Wikipedia Birthday page on wikimediafoundation.org.

I am marking this as "WMF-NDA" in case something like wikipedia20.org is required (discussed with Hang on Slack).

Oct 1 2020, 9:47 PM · SRE, Domains, Traffic
ssingh changed the visibility for T264367: URL to redirect to upcoming Wikipedia Birthday page on wikimediafoundation.org.
Oct 1 2020, 9:45 PM · SRE, Domains, Traffic
ssingh updated the task description for T263789: Wikidough: Upgrade to dnsdist 1.5.0.
Oct 1 2020, 3:03 PM · Patch-For-Review, SRE, Traffic

Sep 24 2020

ssingh claimed T263789: Wikidough: Upgrade to dnsdist 1.5.0.
Sep 24 2020, 8:12 PM · Patch-For-Review, SRE, Traffic
ssingh added a subtask for T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver: T263789: Wikidough: Upgrade to dnsdist 1.5.0.
Sep 24 2020, 8:12 PM · Patch-For-Review, SRE, Traffic
ssingh added a parent task for T263789: Wikidough: Upgrade to dnsdist 1.5.0: T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver.
Sep 24 2020, 8:12 PM · Patch-For-Review, SRE, Traffic
ssingh created T263789: Wikidough: Upgrade to dnsdist 1.5.0.
Sep 24 2020, 8:09 PM · Patch-For-Review, SRE, Traffic

Sep 17 2020

ssingh added a comment to T263030: Make data quality stats alert only if anomalous metrics change.

Yes, sure! I think I can take care of the systemd timer part.

Sep 17 2020, 4:24 PM · Analytics

Sep 15 2020

ssingh added a comment to T257527: automatically collect network error reports from users' browsers (Network Error Logging API).

Rollout planning braindump

There's three degrees of freedom to play with here:

  1. The set of domains for which we request reports
  2. The sampling fraction we set for all of/each of those (when a user agent sees an error, how often does it create a report for that error?)
  3. The TTL we set for how long user agents will persist the above

I'm thinking the set of domains should roughly follow wiki deployment groups, as they're intended for phased rollouts that roughly follow wiki 'importance' / size of userbase affected, and also they make intuitive sense & are easy to explain).

I'm also thinking that TTLs should initially be short: let's say 1 hour to start with, and later on increasing up to something on the order of a week? The tradeoff to be made with TTLs is:

  • on a long TTL, if we also set the sampling fraction too high in a record that then persists for a long time, then eventgate and/or logstash could be overwhelmed in the event of a large outage.
  • on a too-short TTL, we won't get reports at all when infrequent users experience errors

We could probably do some analysis to figure out the per-user distribution of pageview inter-arrival times (or maybe that's already known? # of 1-day active users vs 7da vs 30da gives you enough of an idea), but I was thinking to keep it simple and just say "1 hour TTL to start, 1 week TTL when we're confident". The sampling fraction matters much more, anyway.

As for setting a sampling fraction, that's where things get really tricky.

  • Some domains are vastly more popular than other domains. There are also per-domain concerns, like vastly different geographical and geopolitical distributions of users, etc. In the long run, we very likely want different sampling fractions for different domains.
Sep 15 2020, 6:37 PM · Patch-For-Review, Product-Data-Infrastructure, SRE, Goal, Epic

Aug 21 2020

ssingh closed T259816: Enable DNSSEC validation in Wikidough, a subtask of T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver, as Resolved.
Aug 21 2020, 12:00 PM · Patch-For-Review, SRE, Traffic
ssingh closed T259816: Enable DNSSEC validation in Wikidough as Resolved.
Aug 21 2020, 11:59 AM · Patch-For-Review, Traffic, SRE

Aug 20 2020

ssingh added a comment to T259816: Enable DNSSEC validation in Wikidough.

So this means that they treat the DO bit to not only return the DNSSEC records but also to validate them? I can check this in the code but I just wanted to confirm if I am understanding this correctly. There is a table here https://docs.powerdns.com/recursor/dnssec.html#what-when that explains what happens and when re: DNSSEC validations.

DO or AD but yes i agree however i believe this is a PDNS implementation detail and not something specified in the RFC's

My understanding was that the role of the AD flag was redefined can now also be used by the client in the DNS query to explicitly ask for validation, meaning that it signals that it can understand and is interested in the response of the AD bit. (https://tools.ietf.org/html/rfc6840#section-5.7)

Indeed it was redefined however its new definition does not ask for validation it just asks for the AD bit to be returned in the answer. This could be used for instance to indicate in the browser tool bar that a domain is DNSSEC validated. i.e. if i do dig +noad ns ripe.net @1.1.1.1 dnssec validation is still preformed by the cloudflare servers but the AD bit is not set in the answer so the client has no way of knowing that.

Aug 20 2020, 3:38 PM · Patch-For-Review, Traffic, SRE
ssingh added a comment to T259816: Enable DNSSEC validation in Wikidough.

Given that outages due to misconfigured DNSSEC domains are all too common (see https://ianix.com/pub/dnssec-outages.html for a list)

Im not sure i would agree that they are "all to common". The list referenced shows failures in less the 30 "Major sites"*. Further the TLD's shown, other then ru and pl, seem pretty small.

Firefox has no way of distinguishing between a SERVFAIL response that resulted from a misconfigured auth server or from an actual bogus response.

the client can ask the question again with +CD to rule out validation or to try and preform it themself, however i doubt FF/Chrome do this

Aug 20 2020, 2:26 PM · Patch-For-Review, Traffic, SRE

Aug 17 2020

ssingh updated subscribers of T259816: Enable DNSSEC validation in Wikidough.
Aug 17 2020, 11:32 AM · Patch-For-Review, Traffic, SRE

Aug 6 2020

ssingh added a parent task for T259816: Enable DNSSEC validation in Wikidough: T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver.
Aug 6 2020, 4:56 PM · Patch-For-Review, Traffic, SRE
ssingh added a subtask for T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver: T259816: Enable DNSSEC validation in Wikidough.
Aug 6 2020, 4:56 PM · Patch-For-Review, SRE, Traffic
ssingh created T259816: Enable DNSSEC validation in Wikidough.
Aug 6 2020, 4:54 PM · Patch-For-Review, SRE, Traffic

Jul 14 2020

Ladsgroup awarded T252132: Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver a Love token.
Jul 14 2020, 3:36 PM · Patch-For-Review, SRE, Traffic

Jul 7 2020

ssingh placed T256412: Production shell access for Chris Albon up for grabs.

The only remaining item on this task is the "cloud (labs) groups: deployment-prep", that is better suited for the releng team. I am marking this as resolved from the SRE side and assigning it to them but please feel to reopen if there are any issues. Thank you.

Jul 7 2020, 1:54 PM · Patch-For-Review, Release-Engineering-Team, Machine-Learning-Team (Active Tasks), SRE