Re: EDNS, 9.12 and archives.gov

2018-04-11 Thread Mark Boolootian
Thank you Mark. Your insight and detail is always helpful and immensely appreciated. For what it's worth, I will make it a point to reach out to the relevant parties to grouse to the extent possible about the damage done by DNS servers authoritative for DNSSEC signed zones that aren't properly su

Re: EDNS, 9.12 and archives.gov

2018-04-11 Thread Mark Andrews
Archives.org is served by the following servers. archives.gov. 300 IN NS sauthns1.qwest.net. archives.gov. 300 IN NS sauthns2.qwest.net. Those servers return BADVERS to EDNS(0) queries with a EDNS option present. BADVERS is NEVER a valid rcode to

Re: EDNS, 9.12 and archives.gov

2018-04-11 Thread Mark Boolootian
Ah, you are awesome Carl! Thank you!! And doh, stupid me. I was emailing the wrong people. On Wed, Apr 11, 2018 at 11:45 AM, Carl Byington wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Wed, 2018-04-11 at 11:28 -0700, Mark Boolootian wrote: > > >> I'm wondering if anyone fr

Re: EDNS, 9.12 and archives.gov

2018-04-11 Thread Carl Byington
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Wed, 2018-04-11 at 11:28 -0700, Mark Boolootian wrote: > I'm wondering if anyone from this august group > can clue me in to how I might config around this > issue for the archives.gov servers (assuming that > is possible). // 9-11commission.gov

EDNS, 9.12 and archives.gov

2018-04-11 Thread Mark Boolootian
Hi folks, I upgraded out of 9.10 and into 9.12 last week. Subsequent to that, I received complaints about hosts in archives.gov failing to resolve. We run validating recursive servers, and archives.gov is signed. I've poked at this but concluded I lack enough DNS foo to understand the specifics