This is the signature of a Juniper firewall which drops EDNS version != 0 and packet with a NSID option present. Dropping EDNS version != 0 just breaks future interoperability and as already impacted of EDNS development as the RFC 6891 would have included a EDNS version bump except for these stupid firewalls dropping EDNS version != 0. NSID is used to identify a server in a anycast cluster and the information is not returned unless the operator has configured the server to return it. There is no need for a firewall to drop queries with these properties.
Please file a bug report with Juniper. Mark > On 19 Jan 2019, at 4:02 am, N. Max Pierson <nmaxpier...@gmail.com> wrote: > > Hi List, > > I am trying to ensure our Bind servers comply with EDNS for the upcoming Flag > Day (https://dnsflagday.net/). I am somewhat ignorant to EDNS but from what I > have read, the information is somewhat conflicting as some documentation > states EDNS is not a record that you configure in your zone file then other > sites refer to some sort of OPT record you can configure. So my first > question is which of the documentation is correct from what I have read? Is > it DNS server functionality that supports EDNS or do you also have to > configure something in the zone files? > > Also, I have 4 (well 5 counting the master that isn't queryable) nameservers > with multiple domains served on them. When I run one of my primary domains > through the ISC EDNS tool, it comes back as 2 out of the 4 are failing EDNS > queries.They are all on the same version of Bind (9.8.2rc1) and they are all > slaves of the master so they should all have the same records. Can anyone > please explain what I need to do to resolve the timeouts listed on the ISC > testing tool? > > Here is what the tool says ... > > > venyu.com. @208.79.48.30 (ns4.venyu.com.): dns=ok edns=ok edns1=timeout > edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok > edns512tcp=ok optlist=timeout > > venyu.com. @69.2.33.250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok edns@512=ok > ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok > optlist=ok > venyu.com. @2604:d800:12::250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok > edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok > edns512tcp=ok optlist=ok > > venyu.com. @69.2.63.250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok edns@512=ok > ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok > optlist=ok > venyu.com. @2604:d800:13::250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok > edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok > edns512tcp=ok optlist=ok > > venyu.com. @208.79.48.26 (ns2.venyu.com.): dns=ok edns=ok edns1=timeout > edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok > edns512tcp=ok optlist=timeout > > > > TIA!! > > Regards, > > Max > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
