Query on ignoring additional section returned in replies

Mike Hoskins (michoski) michoski at cisco.com
Wed Nov 18 16:10:59 UTC 2015

Yes, exactly.  Having spent a few decades wearing the DNS admin hat in
environments with large user bases, I'd be rich if I had a few cents for
all the times I've spent "digging" around to prove it's not "our" problem
but modern users don't care when they can just use Google DNS and it works

"It's an upstream issue Google is just working around."

"OK, so why can't you?"

Following up with the remote admins to fix the issue is often a joke, this
isn't the early Internet where most people had a clue, cared, listened to
zone contact mailboxes, or were enabled to make timely changes (in all
fairness with many orgs).  :-)

The upstream brokenness comes in various forms so there's no
one-size-fits-all, but for what it's worth to the OP some sites that gave
us issues in 9.9.x seems to work in 9.10.x after we explicitly changed
dnssec-validation to auto.  Can't fully explain that, but we literally had
queries running in a loop against google, 9.9.x and 9.10.x while we
twiddled different things and zones with upstream issues like this would
not resolve via 9.9.x but started working fine with 9.10.x.

