Hi,
I am currently testing the response of NSD (v4.1.26) to EDNS OPT confirmability (https://ednscomp.isc.org/ednscomp/). I am looking in particular at the confirmation of a request with a bad EDNS version like:
dig +edns=1 soa zone @server
If I look at the network response, I observe that in this case, the response from NSD does not contain the initial request. I just get a response containing an additional OPT records.
If I make the request by specifying edns=0, then NSD responds correctly by copying the initial request well in its response.
I tested with Bind and Unbound, they behave well with edns=1, they respond well by copying the initial request in their response.
In what I observe, only NSD does not copy the initial request in its response when edns=1.
This is problematic for me because my NSD is behind a dnsdist and it considers that the answer is "non compliant" and therefore does not transmit it to the client who made the request.
I do not know if dnsdist is right to consider the response as "not compliant" because it does not contain the initial request but since NSD is the only one in my tests to behave like this, I wonder if there is is not a problem.
Thanks