[j-nsp] DNS Flag Day

Havard Eidnes he at uninett.no
Fri Jan 25 07:42:11 EST 2019

> What they told you sounds like bullshit to me. From 10.2 on
> there are no special settings required. Maybe they don't know
> how to do it?
> So I guess they are just very lazy or don't know better and
> blame the firewall... I pray for you that they don't run Code
> below 10.2...
> https://kb.juniper.net/InfoCenter/index?page=content&id=KB23569&cat=SRX_5600_1&actp=LIST

I'm guessing this isn't it.

If you inspect the error report at


it's quite clear that the test probes for support for EDNS
version 1, and expects a "bad version" response, but is instead
met with a DNS query time-out, indicating that an intermediate
box has blocked either the query (most likely) or the response.

Not responding with "bad version" violates a MUST requirement of
section 6.1.3 in RFC 6891, and is likely to be an impediment to
actually develop & deploy EDNS version 1 (not yet standardized),
and makes efficient EDNS version support negotiation impossible.

It's conceivable this is PR1379433, "DNS requests with EDNS
options might be dropped by DNS ALG", fixed-in 15.1X49-D160
17.4R3 18.1R3 18.2R2 18.3R1 18.4R1.


- Håvard

More information about the juniper-nsp mailing list