Google’s servers don’t add EDNS options to the queries they make so they don’t see the bogus BADVERS response from the servers.
BADVERS should never be returned to a EDNS version 0 query but these servers do when the see a EDNS option. There are also other servers that return BADVERS to any EDNS. query. Named falls back to plain DNS when it sees BADVERS to a EDNS query. Unfortunately this doesn’t work when the zone is signed and the server is validating. -- Mark Andrews > On 28 Jan 2018, at 09:28, PGNet Dev <pgnet....@gmail.com> wrote: > >> On 1/27/18 1:36 PM, Rob Sargent wrote: >> Just for grins, try adding these lines to your named.conf file [within the >> appropriate view] to see if that fixes it. I had to add something like it >> to get usitc.gov working for my customers: >> server 152.216.7.164 { send-cookie no; }; # ns1.irs.gov >> server 152.216.7.165 { send-cookie no; }; # ns2.irs.gov >> server 152.216.11.132 { send-cookie no; }; # ns3.irs.gov >> server 152.216.11.133 { send-cookie no; }; # ns4.irs.gov >> or whatever IP is failing. Not sure if your port 53 traffic goes thru QWest >> but QWest is well known to be broken. > > That did the trick! All of *irs.gov now resolve at my server. > > Re: "well known", alas, not by me 'til now. So thx! > > It appears, then, that the set of servers in my tests are all 'sensitive' to > said brokenness. I suppose if it's actual breakage, that's a good thing ... > > Not clear to be why/how the 'big' NSs, e.g. Google, manage to avoid the > problem. Either they're INsensitive to the issue, or already have > implemented a similar workaround? > > Also, if it's well known wouldn't a QWest have been given notice of said > probs? Or are they in the DGAD camp? > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users