> What they told you sounds like bullshit to me. From 10.2 on > there are no special settings required. Maybe they don't know > how to do it? > > So I guess they are just very lazy or don't know better and > blame the firewall... I pray for you that they don't run Code > below 10.2... > > https://kb.juniper.net/InfoCenter/index?page=content&id=KB23569&cat=SRX_5600_1&actp=LIST
I'm guessing this isn't it. If you inspect the error report at https://ednscomp.isc.org/ednscomp/704c5b6649 it's quite clear that the test probes for support for EDNS version 1, and expects a "bad version" response, but is instead met with a DNS query time-out, indicating that an intermediate box has blocked either the query (most likely) or the response. Not responding with "bad version" violates a MUST requirement of section 6.1.3 in RFC 6891, and is likely to be an impediment to actually develop & deploy EDNS version 1 (not yet standardized), and makes efficient EDNS version support negotiation impossible. It's conceivable this is PR1379433, "DNS requests with EDNS options might be dropped by DNS ALG", fixed-in 15.1X49-D160 17.4R3 18.1R3 18.2R2 18.3R1 18.4R1. Regards, - HÃ¥vard _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp