<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 24-Jun-16 22:13, Jay Ford wrote:<br>
</div>
<blockquote
cite="mid:%3Calpine.DEB.2.20.1606242104290.17096@headset.its.uiowa.edu%3E"
type="cite">On Sat, 25 Jun 2016, Mark Andrews wrote:
<br>
<blockquote type="cite">The servers for webfarm.dr.hrsa.gov are
not EDNS and DNSSEC compliant.
<br>
They are returning FORMERR to queries with EDNS options.
Unknown
<br>
EDNS options are supposed to be ignored (RFC 6891).
<br>
<br>
You can workaround this with a server clause to disable sending
the
<br>
cookie option with a server clause.
<br>
<br>
server <address> { request-sit no; }; // 9.10.x
<br>
server <address> { send-cookie no; }; // 9.11.x
<br>
</blockquote>
<br>
That did it, at least for now.
<br>
<br>
<blockquote type="cite">Now one could argue that FORMERR is legal
under RFC 2671 (the initial
<br>
EDNS specification) as no options were defined and to use a
option
<br>
you need to bump the EDNS version but the servers don't do EDNS
<br>
version negotiation either as they return FORMERR to a EDNS
version 1
<br>
query rather than BADVERS. They also incorrectly copy back
unknown
<br>
EDNS flags.
<br>
</blockquote>
<br>
<blockquote type="cite">Whether this is the cause of your issue I
don't know but it won't be
<br>
helping.
<br>
</blockquote>
<br>
The HRSA folks claim that their "site is fine". In hopes of
disabusing them of that notion I'll have our folks who have to try
to use the HRSA site pass along the trouble report.
<br>
<br>
Thanks for the diagnosis & work-around. Excellent as always
& crazy fast, too!
<br>
<br>
________________________________________________________________________
<br>
Jay Ford, Network Engineering Group, Information Technology
Services
<br>
University of Iowa, Iowa City, IA 52242
<br>
email: <a class="moz-txt-link-abbreviated" href="mailto:jay-ford@uiowa.edu">jay-ford@uiowa.edu</a>, phone: 319-335-5555
<br>
<br>
</blockquote>
<br>
<p>FWIW, dnsfp identifies the DNS servers as:</p>
<pre style="padding: 9.5px; font-family: Monaco, Menlo, Consolas, "Courier New", monospace; font-size: 13px; color: rgb(51, 51, 51); border-radius: 4px; display: block; margin: 0px 0px 10px; line-height: 20px; word-break: break-all; word-wrap: break-word; white-space: pre-wrap; border: 1px solid rgba(0, 0, 0, 0.14902); font-style: normal; font-variant: normal; font-weight: 200; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 204);">fingerprint (162.99.248.222, 162.99.248.222): Unlogic Eagle DNS 1.0 -- 1.0.1 [New Rules]
</pre>
If this is correct, the project website for Eagle DNS would appear
to be: <a href="http://www.unlogic.se/projects/eagledns">http://www.unlogic.se/projects/eagledns</a><br>
<br>
It seems a rather odd choice for a .gov (US Health and Human
Services) owned domain...though one never knows what IT outsourcing
will produce :-)<br>
<br>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
</body>
</html>