On Oct 27, 2015, at 3:37 PM, Bruce Curtis <bruce.curtis@ndsu.edu> wrote:
On Oct 27, 2015, at 12:35 PM, Tony Finch <dot@dotat.at> wrote:
Bruce Curtis <bruce.curtis@ndsu.edu> wrote:
FYI our DNS requests to resolve login.microsoftonline.com are failing because of a DNSSEC error.
There's no DS record for microsoftonline.com so you shouldn't have any DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't show any problems. The only thing which might cause trouble is the SERVFAIL responses to DNSKEY queries flagged by the Verisign DNSSEC debugger.
DNSvis did list 4 errors earlier.
4 recursive DNS servers here still fail to resolve login.microsoftonline.com.
I turned DNSSEC validation off on one and it then resolved correctly.
dnssec-validation no;
Thanks for the info. Our customers have reported that it does resolve at the Google public DNS servers also.
Drill run on one of our name servers shows that the error is Existence denied: microsoftonline.com [ns1 domain]$ drill -k /tmp/rootkey -DT login.microsoftonline.com ;; Number of trusted keys: 2 ;; Domain: . [T] . 172800 IN DNSKEY 256 3 8 ;{id = 62530 (zsk), size = 1024b} . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b} Checking if signing key is trusted: New key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b} Trusted key: . 143619 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b} Key is now trusted! Trusted key: . 143619 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b} Key is now trusted! Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} [T] com. 86400 IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766 ;; Domain: com. [T] com. 86400 IN DNSKEY 256 3 8 ;{id = 51797 (zsk), size = 1024b} com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b} [T] Existence denied: microsoftonline.com. DS ;; No ds record for delegation ;; Domain: microsoftonline.com. ;; No DNSKEY record found for microsoftonline.com. ;; No DS for login.microsoftonline.com.;; No ds record for delegation ;; Domain: login.microsoftonline.com. ;; No DNSKEY record found for login.microsoftonline.com. [U] No data found for: login.microsoftonline.com. type A ;;[S] self sig OK; [B] bogus; [T] trusted
http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com
Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Fitzroy, Sole: Cyclonic, mainly southwesterly, 5 to 7, occasionally gale 8 in west Fitzroy. Very rough or high, becoming rough in Sole. Rain or thundery showers. Moderate or poor, occasionally good.
--- Bruce Curtis bruce.curtis@ndsu.edu Certified NetAnalyst II 701-231-8527 North Dakota State University
--- Bruce Curtis bruce.curtis@ndsu.edu Certified NetAnalyst II 701-231-8527 North Dakota State University