I have just sent some patches which seem to improve things for me.

> I think it would make sense to use different EDNS logic when resolving a
> signed zone. In this situation named should never send a query without
> EDNS DO.

Interestingly there's a NEEDEDNS0 flag which was not actually used. One of
my patches deletes it for tidiness, since I was hacking around in that
area.

My trivial test is:

$ dig axfr . | sed -E '/^([0-9a-z-]+)[.][   ].*/!d;s//\1/' |
  sort -u | while read d; do
    dig dnskey $d. | grep 'status: SERVFAIL' && echo $d;
  done

When running rev. e58154a6ec0a8a0bde32bb1e39ad2f1fbc3d2ef2 I get:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9205  ac
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60366 am
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17601 college
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46668 cologne
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44970 eus
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44278 feedback
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65460 foo
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49232 gal
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48754 host
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61070 ink
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26656 koeln
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15330 lacaixa
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26155 lu
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30175 mango
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3460  museum
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54959 nrw
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6631  quebec
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43315 ruhr
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51870 scot
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46699 soy
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56911 ua
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5356  xn--80asehdb
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62827 xn--80aswg
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36947 xn--l1acc
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49480 xn--mgbab2bd
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39194 xn--q9jyb4c

With my patch that deletes the EDNS512 logic I get:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57772 foo
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49115 soy
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49205 xn--l1acc
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33837 xn--q9jyb4c

With the change of initial buffer size from 512 to 1232 I get just:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2320 xn--l1acc

which is an operational fuckup not a protocol bug.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
South-east Iceland: Variable 3 or 4, occasionally southwesterly 5 in north.
Slight, occasionally moderate in north. Showers, fog patches. Moderate or
good, occasionally very poor.