On 09.04.18 09:59, Benoit Panizzon wrote:
Hi List
[...] Our two main caching DNS Servers run bind 9.11.2-P1, after flushing the cache and even restarting still see an issue with this domain: [...] Doing the same test via a 9.10.3-P4-Debian with Validation enabled, works fine.
The most likely reason: Bind 9.11 enables EDNS cookies by default, but the authoritative servers for this domain do not handle EDNS correctly:
https://ednscomp.isc.org/ednscomp/b01039e111
quick fix: server NSNAME { send-cookie no; };
Btw: Currently, many resolvers implement workarounds for such broken nameservers, but several open-source resolver implementations agreed on removing these workarounds next year, so the affected nameservers will have to be fixed.
https://blog.powerdns.com/2018/03/22/removing-edns-workarounds/