The DNS resolvers used by default by Belgacom’s Internet customers lack EDNS support, according to the test performed from OARC’s DNS Reply Size Test Server
hiram$ dig +short rs.dns-oarc.net txt @195.238.2.21 rst.x476.rs.dns-oarc.net. rst.x485.x476.rs.dns-oarc.net. rst.x490.x485.x476.rs.dns-oarc.net. "195.238.24.113 DNS reply size limit is at least 490" "195.238.24.113 lacks EDNS, defaults to 512" "Tested at 2010-08-15 11:00:01 UTC" hiram$ dig +short rs.dns-oarc.net txt @195.238.2.22 rst.x476.rs.dns-oarc.net. rst.x485.x476.rs.dns-oarc.net. rst.x490.x485.x476.rs.dns-oarc.net. "195.238.25.113 DNS reply size limit is at least 490" "195.238.25.113 lacks EDNS, defaults to 512" "Tested at 2010-08-15 11:00:11 UTC
Hence, if you expect correct DNSSEC or IPv6 responses, you would be better off using alternative DNS resolvers, like OARC . Obviously, the Belgacom DNS resolvers do not return RRSIG records and do not set the AD bit. This is very disappointing, given that the DNS root is now cryptographically signed and so are several top level domains also. It is difficult to believe, a company claiming to be the number one ISP in Belgium is unable to implement a 11 year old standard defined in RFC2671, and a standard feature in all DNS resolver software since then.
The good news is that their BBOX-2 modem can proxy a EDNS query and response, when used with correctly configured DNS resolvers. As demonstrated below, the AD bit is set, meaning the DNSSEC response is valid.
; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec +multiline -t ns gov. @XXX.XXX.XXX.XXX ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46617 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096Pages:
2 Comments.