One of our SRXes was blocking EDNSv1, and so we disabled the DNS ALG to resolve our issue; this might be a prudent approach depending on your environment. Not sure this will help the OP as the device(s) in question are outside their administrative domain. :)
HTH, Niall -----Original Message----- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Havard Eidnes Sent: 25 January 2019 12:42 To: c...@ip4.de Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] DNS Flag Day > What they told you sounds like bullshit to me. From 10.2 on there are > no special settings required. Maybe they don't know how to do it? > > So I guess they are just very lazy or don't know better and blame the > firewall... I pray for you that they don't run Code below 10.2... > > https://kb.juniper.net/InfoCenter/index?page=content&id=KB23569&cat=SR > X_5600_1&actp=LIST I'm guessing this isn't it. If you inspect the error report at https://ednscomp.isc.org/ednscomp/704c5b6649 it's quite clear that the test probes for support for EDNS version 1, and expects a "bad version" response, but is instead met with a DNS query time-out, indicating that an intermediate box has blocked either the query (most likely) or the response. Not responding with "bad version" violates a MUST requirement of section 6.1.3 in RFC 6891, and is likely to be an impediment to actually develop & deploy EDNS version 1 (not yet standardized), and makes efficient EDNS version support negotiation impossible. It's conceivable this is PR1379433, "DNS requests with EDNS options might be dropped by DNS ALG", fixed-in 15.1X49-D160 17.4R3 18.1R3 18.2R2 18.3R1 18.4R1. Regards, - HÃ¥vard _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
