Skip to content

False positives for "EDNS - Unknown Version Handling (edns1)" & "EDNS - Unknown Version with Unknown Option Handling (edns1opt)" ?

Hi,

I tested some powerDNS servers for the DNS flag day.

Some warnings seems to be raised, about the unexpected presence of a SOA in the response, when a bad version/option is requested, for example for the powerdns.net zone :

https://ednscomp.isc.org/ednscomp/56b28c9733

However, a manual dig shows no SOA being returned :

$ dig +norec +noad +edns=1 +noednsneg soa powerdns.net. @79.137.83.215

; <<>> DiG 9.10.3-P4-Debian <<>> +norec +noad +edns=1 +noednsneg soa powerdns.net. @79.137.83.215
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 33660
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;powerdns.net.			IN	SOA

;; Query time: 221 msec
;; SERVER: 79.137.83.215#53(79.137.83.215)
;; WHEN: Wed Feb 13 12:03:36 CET 2019
;; MSG SIZE  rcvd: 41

I was wondering if it could be a bug in the testing tool itself.

Greets to Stephane Bortzmeyer for the idea of performing a manual dig.

Edited by Ghost User
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information