Authoritative name servers replying NOERROR but with EDE 18 ("Prohibited")
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Dec 10 14:19:12 UTC 2024
I notice that several unrelated name servers have a strange behavior, returning
EDE 18 without an obvious reason:
% dig +norec @ns.ucad.sn ucad.sn SOA
; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> +norec @ns.ucad.sn ucad.sn SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29975
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 283f4c3d2a82c55e0100000067584c9c8720925241c597e1 (good)
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;ucad.sn. IN SOA
;; ANSWER SECTION:
ucad.sn. 3600 IN SOA ns1.ucad.sn. admin.ucad.sn. 2024121006 21600 3600 640800 3600
…
;; Query time: 80 msec
;; SERVER: 196.1.95.1#53(ns.ucad.sn) (UDP)
;; WHEN: Tue Dec 10 15:14:22 CET 2024
;; MSG SIZE rcvd: 240
Without +norec, we don't have the EDE. It is strange, I understand
that an authoritative name server may not happy to see requests with
the RD bit set but the opposite?
These other nameservers do the same:
dig +norec @ns1.octopuce.fr. piaille.fr SOA
dig +norec @primary.heberge.info. mamot.fr SOA
I assume some widely used software recently added the EDE 18 but
which one? And why?
More information about the dns-operations
mailing list