digitup.in. @205.251.193.229 (ns-485.awsdns-60.com.): dns=refused zflag=refused edns=refused,noopt edns1=ok edns@512=refused,noopt,notc ednsopt=refused,noopt edns1opt=ok do=refused,noopt ednsflags=refused,noopt docookie=refused,noopt edns512tcp=refused,noopt optlist=refused,noopt
digitup.in. @2600:9000:5301:e500::1 (ns-485.awsdns-60.com.): dns=refused zflag=refused edns=refused,noopt edns1=ok edns@512=refused,noopt,notc ednsopt=refused,noopt edns1opt=ok do=refused,noopt ednsflags=refused,noopt docookie=refused,noopt edns512tcp=refused,noopt optlist=refused,noopt
digitup.in. @205.251.197.174 (ns-1454.awsdns-53.org.): dns=refused zflag=refused edns=refused,noopt edns1=ok edns@512=refused,noopt,notc ednsopt=refused,noopt edns1opt=ok do=refused,noopt ednsflags=refused,noopt docookie=refused,noopt edns512tcp=refused,noopt optlist=refused,noopt
digitup.in. @2600:9000:5305:ae00::1 (ns-1454.awsdns-53.org.): dns=refused zflag=refused edns=refused,noopt edns1=ok edns@512=refused,noopt,notc ednsopt=refused,noopt edns1opt=ok do=refused,noopt ednsflags=refused,noopt docookie=refused,noopt edns512tcp=refused,noopt optlist=refused,noopt
digitup.in. @205.251.195.160 (ns-928.awsdns-52.net.): dns=refused zflag=refused edns=refused,noopt edns1=ok edns@512=refused,noopt,notc ednsopt=refused,noopt edns1opt=ok do=refused,noopt ednsflags=refused,noopt docookie=refused,noopt edns512tcp=refused,noopt optlist=refused,noopt
digitup.in. @2600:9000:5303:a000::1 (ns-928.awsdns-52.net.): dns=refused zflag=refused edns=refused,noopt edns1=ok edns@512=refused,noopt,notc ednsopt=refused,noopt edns1opt=ok do=refused,noopt ednsflags=refused,noopt docookie=refused,noopt edns512tcp=refused,noopt optlist=refused,noopt
digitup.in. @205.251.199.14 (ns-1806.awsdns-33.co.uk.): dns=refused zflag=refused edns=refused,noopt edns1=ok edns@512=refused,noopt,notc ednsopt=refused,noopt edns1opt=ok do=refused,noopt ednsflags=refused,noopt docookie=refused,noopt edns512tcp=refused,noopt optlist=refused,noopt
digitup.in. @2600:9000:5307:e00::1 (ns-1806.awsdns-33.co.uk.): dns=refused zflag=refused edns=refused,noopt edns1=ok edns@512=refused,noopt,notc ednsopt=refused,noopt edns1opt=ok do=refused,noopt ednsflags=refused,noopt docookie=refused,noopt edns512tcp=refused,noopt optlist=refused,noopt
Warning: test failures may indicate that some DNS clients cannot resolve the zone or will get a unintended answer or resolution will be slower than necessary.
Warning: failure to address issues identified here may make future DNS extensions that you want to use ineffective. In particular echoing back unknown EDNS options and unknown EDNS flags will break future signaling between DNS client and DNS server. We already have examples of this where you cannot depend on the AD flag bit meaning anything in replies because too many DNS servers just echo it back. Similarly the EDNS Client Subnet (ECS) option cannot just be sent to everyone in part because of servers just echoing it back.
dig +norec +noad +noedns soa zone @server
expect: SOA
expect: NOERROR
This is the style of the initial query that BIND 9.0.x sends.
dig +nocookie +norec +noad +edns=0 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: EDNS over IPv6
See RFC6891
dig +nocookie +norec +noad +dnssec +bufsize=512 +ignore dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
expect: UDP DNS message size to be less than or equal to 512 bytes
See RFC6891, 7. Transport Considerations
dig +nocookie +norec +noad +ednsopt=100 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: that the option will not be present in response
See RFC6891, 6.1.2 Wire Format
This is the style of then initial query that BIND 9.1.0 - BIND 9.10.x sends.
dig +nocookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response
See RFC3225
dig +nocookie +norec +noad +ednsflags=0x80 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: Z bits to be clear in response
See RFC6891, 6.1.4 Flags
This is the style of the initial query that BIND 9.11.0 and BIND 9.10.4 Windows onwards send.
dig +cookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response
See RFC3225,
RFC6891, and
RFC7873.
dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC5966 and
See RFC6891
dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC6891
dig +norec +noad +noedns +zflag soa zone @server
expect: SOA
expect: NOERROR
expect: Z bit to be clear in response
See RFC1035, 4.1.1. Header section format
To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/67c845d631
The source code for the tester can be downloaded from ISC Open Source Projects / DNS-Compliance-Testing.
For more information about EDNS please see the main site.
© 2015 Internet Systems Consortium - Powered By: CGIC (License) - Thomas Boutell