is served by the following servers.           300     IN      NS           300     IN      NS

Those servers return BADVERS to EDNS(0) queries with a EDNS option
present.  BADVERS is NEVER a valid rcode to a EDNS(0) request because
there is no EDNS version smaller than version 0.  BADVERS was defined
in RFC 2671.  Its purpose is to negotiate the highest common EDNS
version the client and server support which is determined by the
version field in the EDNS request.

Now RFC 2671 didn’t explicitly specify how to handle unknown EDNS
options but STD 13 has a catch all rcode (FORMERR) for how to answer
unknown messages.

RFC 2671 has subsequently been replaced by RFC 6891 which explicitly
says to ignore unknown EDNS options.

Named treats BADVERS to a EDNS(0) query as a indication that the
server DOES NOT UNDERSTAND EDNS as it is a response that should never
appear and retries the query without a EDNS option present.  This is
fine if the data being served is from a unsigned zone.  This, however,
bit to the server to get a DNSSEC response.

QWEST were informed years ago that their servers are broken.  Making
up stuff is not the way to get inter operability. 

The best thing can do now is find a DNS provider that
uses DNS servers that follow the DNS protocol.


On 12 Apr 2018, at 4:28 am, Mark Boolootian <> wrote:
> Hi folks,
> I upgraded out of 9.10 and into 9.12
> last week.  Subsequent to that, I received
> complaints about hosts in
> failing to resolve.
> We run validating recursive servers, and
> is signed.  
> I've poked at this but concluded I lack
> enough DNS foo to understand the specifics
> of the trouble.  It seems clear that
> isn't fully baked when it comes to EDNS:
> and I suspect that is what causes the resolution
> failures.
> I've read the thread on "Enforce EDNS".  I've
> tried reaching out to the standard RFC2142
> aliases at, but it looks like most of
> them bounce.  I'm not feeling particularly optimistic
> about being able to effect change on that end​,
> even if I got an answer.​
> I'm wondering if anyone from this august group
> can clue me in to how I might config around this
> issue for the servers (assuming that
> is possible).
> Any help greatly appreciated.
> best regards,
> mark
> _______________________________________________
> Please visit to unsubscribe 
> from this list
> bind-users mailing list

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET:

Please visit to unsubscribe 
from this list

bind-users mailing list

Reply via email to