Noticied today. All Verisign's GTLD servers broke EDNS0 (RFC2671). Here's how it looks like: query: $ dnsget -t mx -vv microsoft.net. -n 192.5.6.30 ;; trying microsoft.net. ;; sending 42 bytes query to 192.5.6.30 port 53 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64471, size: 42 ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUERY SECTION (1): ;microsoft.net. IN MX ;; ADDITIONAL section (1): ;EDNS0 OPT record (UDPsize: 4096): 0 bytes Note the EDNS0 stuff (numar=1). And here's the reply to this query: ;; received 12 bytes response from 192.5.6.30 port 53 ;; unexpected number of entries in QUERY section: 0 ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 64471, size: 12 ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION (0): ; invalid query section They're returning FORMERR (which is wrong), *and* don't return the original query (numqd=0). Without EDNS0 extensions, it works like expected. /mjt