I would love to hear Amazon's response to this very question! On 8/23/16 4:37 PM, Mark Andrews wrote:
I'm curious. What are you trying to achieve by blocking EDNS version negotiation? Is it really too hard to return BADVERS to a EDNS query with version != 0 along with the version of EDNS you support in the version field? Are you deliberately trying to prevent the IETF from deciding to bump the EDNS version in the future? Do you have firewalls that have this behaviour hard coded? Do you even test for RFC compliance?
Mark
lostoncampus.com.au. @205.251.195.156 (ns-924.awsdns-51.net.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.192.78 (ns-78.awsdns-09.com.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.196.198 (ns-1222.awsdns-24.org.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok lostoncampus.com.au. @205.251.199.20 (ns-1812.awsdns-34.co.uk.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok optlist=ok,nsid,subnet signed=ok ednstcp=ok