I am currently running git rev 06e0d6b plus trivial patches. I have been trying to work out why I get a SERVFAIL resolving and validating blog.rop.io IN AAAA Named seems to go into a loop re-querying for dns2v6.cdns.net/A and getting a truncated response. It does not fall back to TCP. A similar thing happens for rop.io/DNSKEY. I can only reproduce this response with 'dig' if I send a query without EDNS. So the question is, why is named sending queries without EDNS? It seems to be because the authority servers are a bit broken. Early in the resolution process named made a query for blog.rop.io AAAA and got a truncated response with a missing EDNS record and a missing TC flag - see the first query/response pair below At this point it marked the server as not supporting EDNS. Similarly, when named queried for dns2v6.cdns.net/AAAA it got a response without an EDNS packet. This does not seem to be due to truncation, but rather a buggy EDNS implementation which drops the record if the buffer size is 512 or less. See the second query/response pair below. *** 1 ; <<>> DiG 9.11.0pre-alpha <<>> -4 +qr +multiline +norec +dnssec +bufsize=512 blog.rop.io in aaaa @ns1.r4ns.com. ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9821 ;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;blog.rop.io. IN AAAA ;; QUERY SIZE: 40 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9821 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0 ;; QUESTION SECTION: ;blog.rop.io. IN AAAA ;; AUTHORITY SECTION: rop.io. 3600 IN SOA ns1.r4ns.com. info.egeektronic.com. ( 2014061518 ; serial 1200 ; refresh (20 minutes) 180 ; retry (3 minutes) 604800 ; expire (1 week) 3600 ; minimum (1 hour) ) rop.io. 3600 IN RRSIG SOA 7 2 3600 ( 20140626000000 20140612000000 26739 rop.io. gCmNnHyTtVLbgLDOKuVou9KexzhqBeHdLoqtN9KpGPmu XHNYjk21RaFAi91ly1Z4JaiPSWk4dj+uZjUKtAde63np OdPB0N3HYX/NPaaQ2fXIE9d7qYJAOy8tEaczxQIs5hkL KBor61w4zrpypfI6uzcmqNWZ0mHibmTUumGYzwA= ) m44202ac9ca4jsqum1248sjcmff74004.rop.io. 3600 IN NSEC3 1 1 1 BEEF ( M44202AC9CA4JSQUM1248SJCMFF74005 A NS SOA MX TXT AAAA SSHFP RRSIG DNSKEY NSEC3PARAM ) ;; Query time: 34 msec ;; SERVER: 176.124.112.100#53(176.124.112.100) ;; WHEN: Mon Jun 16 14:01:04 BST 2014 ;; MSG SIZE rcvd: 342 *** 2 ; <<>> DiG 9.11.0pre-alpha <<>> +qr +multiline +ignore +norec +dnssec +bufsize=512 dns2v6.cdns.net in aaaa @194.0.1.1 ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23456 ;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;dns2v6.cdns.net. IN AAAA ;; QUERY SIZE: 44 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23456 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dns2v6.cdns.net. IN AAAA ;; ANSWER SECTION: dns2v6.cdns.net. 86400 IN AAAA 2001:678:5::1 dns2v6.cdns.net. 86400 IN RRSIG AAAA 8 3 86400 ( 20140712152242 20140607075037 1616 cdns.net. n0/yzR0wAJZ/6P1QyALIbBenMYs+mYddGV9oSYNoB+UU AS8IfHHpSBLSK+T27r/u8nMacJ26TvBQ3nYb5JcZGfHM i2V6WjKoSs/Fs64Uz8GbiCX5pNUdsbZCN+3KbYFzh4Jn Req223p88Lk2l9+itq8FYLElAV8V9r7p9UNDEB8= ) ;; Query time: 36 msec ;; SERVER: 194.0.1.1#53(194.0.1.1) ;; WHEN: Mon Jun 16 14:14:13 BST 2014 ;; MSG SIZE rcvd: 229 Tony. -- f.anthony.n.finch http://dotat.at/ German Bight: Northwest 5 to 7, veering north 4 or 5. Moderate or rough. Fair. Good.