$> ping www.github.com
ping: www.github.com: Name or service not known
ps, I’m in China behind the great firewall
UPDATED:
in my /etc/resolv.conf, there is a line
options edns0
I removed it and seems everything is ok now. But this options seems to be needed by some other part of the system, I’m not sure whether it is proper to remove it.
I think it allows to use bigger queries but it might be filtered/lost by middleboxes. I had to remove it from my config too. Maybe it should default to false.
Yes, it does not trigger DNSSEC validation at all. (That would be problem in China’s stock DNS, too.) EDNS0 was standardized in 90’s in IETF, and yet some (rarer) middle-boxes still have problems. In such cases I believe networking.dnsExtensionMechanism = false; should be just fine.