[ISC-support #18100] FORMERR when EDNS is disabled and spurious DS record is received
Summary
Support ticket: https://support.isc.org/Ticket/Display.html?id=18100
A customer's resolver has EDNS0 disabled globally, and is logging FORMERR in a case where an authoritative server is returning an unrequested DS record (with no corresponding RRSIG) in a referral, even without DO bit being set.
BIND version used
9.11.22-S1
Steps to reproduce
-
Configure resolver with:
server 0.0.0.0/0 { edns no; };
in global context. This has been confirmed as the minimal reproducer in Support testing. -
dig @RESOLVER_IP mg13.so.kpn.com
What is the current bug behavior?
SERVFAIL response
What is the expected correct behavior?
NOERROR, with A record returned.
Relevant configuration files
Provided in ISC-support ticket #18100, contains potentially sensitve ACLs. Simplified resolver configuration with EDNS0 disabled globally is sufficient, as follows:
server 0.0.0.0/0 { edns no; };
Relevant logs and/or screenshots
12-Mar-2021 17:44:08.075 info: FORMERR resolving 'mg13.so.kpn.com/A/IN': 194.151.228.10#53
12-Mar-2021 17:44:08.088 info: FORMERR resolving 'mg13.so.kpn.com/A/IN': 213.75.63.33#53
12-Mar-2021 17:44:08.088 client @0x7f5a2c1c8940 127.0.0.1#40330 (mg13.so.kpn.com): view internet: query failed (SERVFAIL) for mg13.so.kpn.com/ IN/A at query.c:9601