QWEST you have broken DNS servers

I know it takes some time to upgrade DNS servers to ones that are actually
protocol compliant but 4+ years is ridiculous. Your servers are the only
ones serving the Alexa top 1M sites or the GOV zone that still return BADVERS
to EDNS queries with a EDNS option present. This was behaviour made up by
your DNS vendor. The correct response to EDNS options that are not understood
is to IGNORE them. This allows clients and servers to deploy support for
new options independently of each other.

Additionally this is breaking DNSSEC validation of the signed zones your clients
have you serving. They expect you to be using EDNS compliant name servers for
this role which you are not. No, we are not working around this breakage in the
resolver.

Mark

% dig soa frc.gov. @208.44.130.121 +norec

; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 59707
;; flags: qr ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; Query time: 66 msec
;; SERVER: 208.44.130.121#53(208.44.130.121)
;; WHEN: Tue Sep 11 06:08:41 UTC 2018
;; MSG SIZE rcvd: 23

% dig soa frc.gov. @208.44.130.121 +norec +nocookie

; <<>> DiG 9.12.1 <<>> soa frc.gov. @208.44.130.121 +norec +nocookie
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16876
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;frc.gov. IN SOA

;; ANSWER SECTION:
frc.gov. 86400 IN SOA sauthns2.qwest.net. dns-admin.qwestip.net. 2180320527 10800 3600 604800 86400

;; AUTHORITY SECTION:
frc.gov. 86400 IN NS sauthns1.qwest.net.
frc.gov. 86400 IN NS sauthns2.qwest.net.

;; Query time: 66 msec
;; SERVER: 208.44.130.121#53(208.44.130.121)
;; WHEN: Tue Sep 11 06:19:33 UTC 2018
;; MSG SIZE rcvd: 145

% grep ednsopt=badvers reports/alexa1m.2018-08-26T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u
(sauthns1.qwest.net.):
(sauthns2.qwest.net.):
% grep ednsopt=badvers reports-full/gov-full.2018-09-11T00:00:06Z | grep edns=ok | awk '{print $3}' | sort -u
(sauthns1.qwest.net.):
(sauthns2.qwest.net.):
%

Would you like us to send this to our Qwest/CenturyLink contact?

Anne P. Mitchell,
Attorney at Law
GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
CEO/President, Institute for Social Internet Public Policy
Legal Counsel: The CyberGreen Institute
Legal Counsel: The Earth Law Center
Member, California Bar Association
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Board of Directors, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop

Yes please.

From Qwest/CL:

"we are aware of the issue and expect this to be resolved next month."