orange:
EDNS Compliance Tester
Checking: 'orange.fr' as at 2018-05-28T16:47:19Z
orange.fr @80.10.201.224 (ns1.orange.fr.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
orange.fr @2a01:cb04:2040:2::1 (ns1.orange.fr.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=timeout optlist=ok
orange.fr @80.10.202.224 (ns2.orange.fr.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
orange.fr @2a01:cb14:2040::1 (ns2.orange.fr.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=timeout optlist=ok
The Following Tests Failed
Warning: test failures may indicate that some DNS clients cannot resolve the zone or will get a unintended answer or resolution will be slower than necessary.
Warning: failure to address issues identified here may make future DNS extensions that you want to use ineffective. In particular echoing back unknown EDNS options and unknown EDNS flags will break future signaling between DNS client and DNS server. We already have examples of this were you cannot depend on the AD flag bit meaning anything in replies because too many DNS servers just echo it back. Similarly the EDNS Client Subnet (ECS) option cannot just be sent to everyone in part because of servers just echoing it back.
EDNS - over TCP Response (edns@512tcp)
dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC5966 and See RFC6891
Codes
ok - test passed.
timeout - lookup timed out.
quad9:
EDNS Compliance Tester
Checking: 'quad9.net' as at 2018-05-28T16:49:26Z
quad9.net @204.61.216.4 (anyns.pch.net.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=nsid ("3.pao.pch")
quad9.net @2001:500:14:6004:ad::1 (anyns.pch.net.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=nsid ("7.pao.pch")
quad9.net @204.42.254.5 (ns2.pch.net.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
quad9.net @2001:418:3f4::5 (ns2.pch.net.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
quad9.net @206.220.231.3 (ns3.pch.net.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
quad9.net @2620:0:872::231:3 (ns3.pch.net.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
All Ok
Codes
ok - test passed.
nsid - NSID supported [RFC5001].
test google:
EDNS Compliance Tester
Checking: 'google.com' as at 2018-05-28T16:49:58Z
google.com @216.239.32.10 (ns1.google.com.): edns=noopt edns1=status,noopt,soa edns@512=noopt ednsopt=noopt edns1opt=status,noopt,soa do=noopt ednsflags=noopt docookie=noopt edns@512tcp=noopt optlist=subnet
google.com @2001:4860:4802:32::a (ns1.google.com.): edns=noopt,ipv6 edns1=status,noopt,soa edns@512=noopt ednsopt=noopt edns1opt=status,noopt,soa do=noopt ednsflags=noopt docookie=noopt edns@512tcp=noopt optlist=subnet
google.com @216.239.34.10 (ns2.google.com.): edns=noopt edns1=status,noopt,soa edns@512=noopt ednsopt=noopt edns1opt=status,noopt,soa do=noopt ednsflags=noopt docookie=noopt edns@512tcp=noopt optlist=subnet
google.com @2001:4860:4802:34::a (ns2.google.com.): edns=noopt,ipv6 edns1=status,noopt,soa edns@512=noopt ednsopt=noopt edns1opt=status,noopt,soa do=noopt ednsflags=noopt docookie=noopt edns@512tcp=noopt optlist=subnet
google.com @216.239.36.10 (ns3.google.com.): edns=noopt edns1=status,noopt,soa edns@512=noopt ednsopt=noopt edns1opt=status,noopt,soa do=noopt ednsflags=noopt docookie=noopt edns@512tcp=noopt optlist=subnet
google.com @2001:4860:4802:36::a (ns3.google.com.): edns=noopt,ipv6 edns1=status,noopt,soa edns@512=noopt ednsopt=noopt edns1opt=status,noopt,soa do=noopt ednsflags=noopt docookie=noopt edns@512tcp=noopt optlist=subnet
google.com @216.239.38.10 (ns4.google.com.): edns=noopt edns1=status,noopt,soa edns@512=noopt ednsopt=noopt edns1opt=status,noopt,soa do=noopt ednsflags=noopt docookie=noopt edns@512tcp=noopt optlist=subnet
google.com @2001:4860:4802:38::a (ns4.google.com.): edns=noopt,ipv6 edns1=status,noopt,soa edns@512=noopt ednsopt=noopt edns1opt=status,noopt,soa do=noopt ednsflags=noopt docookie=noopt edns@512tcp=noopt optlist=subnet
The Following Tests Failed
Warning: test failures may indicate that some DNS clients cannot resolve the zone or will get a unintended answer or resolution will be slower than necessary.
Warning: failure to address issues identified here may make future DNS extensions that you want to use ineffective. In particular echoing back unknown EDNS options and unknown EDNS flags will break future signaling between DNS client and DNS server. We already have examples of this were you cannot depend on the AD flag bit meaning anything in replies because too many DNS servers just echo it back. Similarly the EDNS Client Subnet (ECS) option cannot just be sent to everyone in part because of servers just echoing it back.
Plain EDNS (edns)
This is the style of the initial query that BIND 9.0.x sends.
dig +nocookie +norec +noad +edns=0 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: EDNS over IPv6
See RFC6891
EDNS - Unknown Version Handling (edns1)
dig +nocookie +norec +noad +edns=1 +noednsneg soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
See RFC6891, 6.1.3. OPT Record TTL Field Use
EDNS - Truncated Response (edns@512)
dig +nocookie +norec +noad +dnssec +bufsize=512 +ignore dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
expect: UDP DNS message size to be less than or equal to 512 bytes
See RFC6891, 7. Transport Considerations
EDNS - Unknown Option Handling (ednsopt)
dig +nocookie +norec +noad +ednsopt=100 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: that the option will not be present in response
See RFC6891, 6.1.2 Wire Format
EDNS - Unknown Version with Unknown Option Handling (edns1opt)
dig +nocookie +norec +noad +edns=1 +noednsneg +ednsopt=100 soa zone @server
expect: BADVERS
expect: OPT record with version set to 0
expect: not to see SOA
expect: that the option will not be present in response
See RFC6891
EDNS - DNSSEC (do)
This is the style of then initial query that BIND 9.1.0 - BIND 9.10.x sends.
dig +nocookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response
See RFC3225
EDNS - Unknown Flag Handling (ednsflags)
dig +nocookie +norec +noad +ednsflags=0x80 soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: Z bits to be clear in response
See RFC6891, 6.1.4 Flags
EDNS - DNSSEC with DNS COOKIE Option (docookie)
This is the style of the initial query that BIND 9.11.0 and BIND 9.10.4 Windows onwards send.
dig +cookie +norec +noad +dnssec soa zone @server
expect: SOA
expect: NOERROR
expect: OPT record with version set to 0
expect: DO flag in response if RRSIG is present in response
See RFC3225, RFC6891, and RFC7873.
EDNS - over TCP Response (edns@512tcp)
dig +vc +nocookie +norec +noad +edns +dnssec +bufsize=512 dnskey zone @server
expect: NOERROR
expect: OPT record with version set to 0
See RFC5966 and See RFC6891
Codes
ok - test passed.
subnet - EDNS Client Subnet supported [RFC7871].
soa - SOA record found when not expected.
ipv6 - no EDNS over IPv6 as required by IPv6 node requirements.
noopt - OPT record not found when expected.
status - expected rcode status code not found.
fdn.fr
EDNS Compliance Tester
Checking: 'fdn.fr' as at 2018-05-28T16:54:58Z
fdn.fr @80.67.169.26 (gchq.fdn.fr.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
fdn.fr @2001:910:800::26 (gchq.fdn.fr.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
fdn.fr @80.67.169.25 (nsa.fdn.fr.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
fdn.fr @2001:910:800::25 (nsa.fdn.fr.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
fdn.fr @193.51.24.1 (soleil.uvsq.fr.): edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=expire
All Ok
Codes
ok - test passed.
expire - EDNS EXPIRE supported [RFC7314].
science sans conscience n'est que ruine de l'âme...