DNSSEC validation failures for www.hrsa.gov

Jay Ford jay-ford at uiowa.edu
Sat Jun 25 02:13:27 UTC 2016

On Sat, 25 Jun 2016, Mark Andrews wrote:
> The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant.
> They are returning FORMERR to queries with EDNS options.  Unknown
> EDNS options are supposed to be ignored (RFC 6891).
> You can workaround this with a server clause to disable sending the
> cookie option with a server clause.
> server <address> { request-sit no; };	// 9.10.x
> server <address> { send-cookie no; };	// 9.11.x

That did it, at least for now.

> Now one could argue that FORMERR is legal under RFC 2671 (the initial
> EDNS specification) as no options were defined and to use a option
> you need to bump the EDNS version but the servers don't do EDNS
> version negotiation either as they return FORMERR to a EDNS version 1
> query rather than BADVERS.  They also incorrectly copy back unknown
> EDNS flags.

> Whether this is the cause of your issue I don't know but it won't be
> helping.

The HRSA folks claim that their "site is fine".  In hopes of disabusing them 
of that notion I'll have our folks who have to try to use the HRSA site pass 
along the trouble report.

Thanks for the diagnosis & work-around.  Excellent as always & crazy fast, 

Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford at uiowa.edu, phone: 319-335-5555

More information about the bind-users mailing list