recursive resolver, 9.9.7 works, not 9.10.x

Anders Löwinger anders at
Mon Apr 27 18:23:08 UTC 2015

On 2015-04-23 22:56, Mark Andrews wrote:
> The nameservers for are broken.  BIND 9.10.x Windows does
> SIT by default.  The correct EDNS behaviour for a server that does
> not understand a EDNS option is to *ignore* the option.


> Add the following to named.conf to temporarially work around the
> broken server.
>         server { request-sit no; };

As you suggest, it does work disabling sit.

> Doing this does not scale.

No, and it is going backwards disabling new extensions :(

> As this zone is both signed and has broken servers that return
> FORMERR named ends up falling back to plain DNS due to the FORMERR
> and that results in DNSSEC validation failing.

One more thing to check for when troubleshooting.

> .SE has high number of DNSSEC validated zones

Yes, I've done my fair share of helping customers signing.

> so it would be useful
> if .SE audited the delegated servers for correct behaviour wnen a
> EDNS extension is in the query (unknown EDNS option, unknown EDNS
> verion, unknown EDNS flag) and then informed the operators of said
> servers that they need to FIX THEM.  I already have scripts that
> can do the testing if people want them.

The problem is not testing, it is to get to the real tech people
behind the registrar. Registrars are not that interested, they sell
domains dirt-cheap and wants as little work as possible after that.

The amount of "clue" at registrars are very low. They are used to be
administrators and sending bills, now they need to understand IPv6,
DNSSEC and handle DS records in a secure way, possible implementing
an API.

It's like swimming against the stream, but I do what I can....

Anders Löwinger, Abundo AB, +46 72 206 0322

More information about the bind-users mailing list