In case anyone is wondering why I've been harping on about EDNS compliance this is why. Failure to follow the protocol can result in DNS lookup failures. nara.gov is signed and the recursive server performs DNSSEC validation and sends queries with DNS COOKIEs. BADVERS is NOT a valid response to a EDNS version 0 query. Can you please contact your DNS vendor for a fix. QWEST isn't the only DNS provider that has broken nameservers. One shouldn't have to try and contact every DNS operator to get them to use protocol compliant servers. Mark ;; BADCOOKIE, retrying. ; <<>> DiG 9.11.0rc1 <<>> nara.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5744 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 85faf1e39a1a6a149bebd00a57da4b266b8546c1b75015db (good) ;; QUESTION SECTION: ;nara.gov. IN A ;; Query time: 5000 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Sep 15 17:17:58 EST 2016 ;; MSG SIZE rcvd: 65 Checking: 'nara.gov' as at 2016-09-15T07:16:32Z nara.gov @63.150.72.5 (sauthns1.qwest.net.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=badvers,nosoa edns1opt=ok do=nodo ednsflags=ok edns@512tcp=ok optlist=badvers,nosoa nara.gov @2001:428::7 (sauthns1.qwest.net.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=badvers,nosoa edns1opt=ok do=nodo ednsflags=ok edns@512tcp=ok optlist=badvers,nosoa nara.gov @208.44.130.121 (sauthns2.qwest.net.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=badvers,nosoa edns1opt=ok do=nodo ednsflags=ok edns@512tcp=ok optlist=badvers,nosoa nara.gov @2001:428::8 (sauthns2.qwest.net.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=badvers,nosoa edns1opt=ok do=nodo ednsflags=ok edns@512tcp=ok optlist=badvers,nosoa The Following Tests Failed EDNS - Unknown Option Handling (ednsopt) dig +nocookie +norec +noad +ednsopt=100 soa zone @server expect: SOA expect: NOERROR expect: OPT record with version set to 0 expect: that the option will not be present in response See RFC6891, 6.1.2 Wire Format EDNS - DO=1 (do) dig +nocookie +norec +noad +dnssec soa zone @server expect: SOA expect: NOERROR expect: OPT record with version set to 0 expect: DO flag in response if RRSIG is present in response See RFC3225 EDNS - Supported Options Probe (optlist) dig +edns +noad +norec +nsid +subnet=0.0.0.0/0 +expire +cookie -q zone @server expect: NOERROR expect: OPT record with version set to 0 See RFC6891 Codes ok - test passed. nodo - EDNS DO flag not echoed. nosoa - SOA record not found when expected. badvers - BADVERS returned. To retrieve this report in the future: https://ednscomp.isc.org/ednscomp/25f2ebe619 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org