On Sat, 25 Jun 2016, Mark Andrews wrote:
The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant. They are returning FORMERR to queries with EDNS options. Unknown EDNS options are supposed to be ignored (RFC 6891).You can workaround this with a server clause to disable sending the cookie option with a server clause. server <address> { request-sit no; }; // 9.10.x server <address> { send-cookie no; }; // 9.11.x
That did it, at least for now.
Now one could argue that FORMERR is legal under RFC 2671 (the initial EDNS specification) as no options were defined and to use a option you need to bump the EDNS version but the servers don't do EDNS version negotiation either as they return FORMERR to a EDNS version 1 query rather than BADVERS. They also incorrectly copy back unknown EDNS flags.
Whether this is the cause of your issue I don't know but it won't be helping.
The HRSA folks claim that their "site is fine". In hopes of disabusing them of that notion I'll have our folks who have to try to use the HRSA site pass along the trouble report.
Thanks for the diagnosis & work-around. Excellent as always & crazy fast, too!
________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-5555 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
