Just for another voice in this sub-discussion: I'm an authdns software implementer ( https://github.com/gdnsd/gdnsd ) with no connection to Cloudflare, and I like Refuse ANY. It's maybe hard to see all the issues with traditional ANY clearly unless you're implementing this stuff, but IMHO RFC 8482 is a really good path forward that I'm supportive of and have also implemented.
Well, I can't say I didn't anticipate it happening exactly like this, with someone from Cloudflare trying to retcon "the ANY query episode" by linking to the proposal drafted after the fact. As though a formal "here is our proposed change" document somehow magically excuses the fact that Cloudflare did "violate the integrity of DNS" in its unilateral decision to abandon parts of the DNS specification in favor of its own modifications in order to cut operating costs by reducing the workload on its servers. [0]
Your boss is talking about not "violating the integrity of DNS" and presents this case where upstream archive.is name servers return unexpected data. He proposes that CloudFlare cannot "just fix it" because doing so "would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service". However, Cloudflare chose to "just fix it" back then by "slapping a bandaid" on something your team saw as a problem instead of abiding by the proper change process. And Cloudflare did so not because of some critical security flaw, but as a cost-cutting measure.
Even if we limit what it means to "violate the integrity of DNS" to the first definition mentioned above (and completely ignore this second definition), Cloudflare "slapped a bandaid" on a PR problem it had a couple of years ago and decided to "just fix it" and "block a domain" by removing the domain and its assets from Cloudflare's infrastructure. [1]
Cloudflare has "violated the integrity of DNS" on more than one occasion using more than one of its own definitions.
Cloudflare "MUST" either adhere to the specification and its change process, or not adhere to the specification and its change process. Cloudflare "CANNOT" choose for both of these statements to be true, and one of them constitutes "violating the integrity of DNS".
