I'm curious. What are you trying to achieve by blocking EDNS version negotiation? Is it really too hard to return BADVERS to a EDNS query with version != 0 along with the version of EDNS you support in the version field? Are you deliberately trying to prevent the IETF from deciding to bump the EDNS version in the future? Do you have firewalls that have this behaviour hard coded? Do you even test for RFC compliance? Mark lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org