FYI our DNS requests to resolve login.microsoftonline.com are failing because of a DNSSEC error. http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com http://dnsviz.net/d/login.microsoftonline.com/dnssec/ ns1 domain]$ drill -DT login.microsoftonline.com Warning: No trusted keys were given. Will not be able to verify authenticity! ;; Domain: . ;; Signature ok but no chain to a trusted key or ds record [S] . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b} . 172800 IN DNSKEY 256 3 8 ;{id = 62530 (zsk), size = 1024b} Checking if signing key is trusted: New key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b} [S] com. 86400 IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766 ;; Domain: com. ;; Signature ok but no chain to a trusted key or ds record [S] com. 86400 IN DNSKEY 256 3 8 ;{id = 51797 (zsk), size = 1024b} com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b} [S] Existence denied: microsoftonline.com. DS ;; No ds record for delegation ;; Domain: microsoftonline.com. ;; No DNSKEY record found for microsoftonline.com. ;; No DS for login.microsoftonline.com.;; No ds record for delegation ;; Domain: login.microsoftonline.com. ;; No DNSKEY record found for login.microsoftonline.com. [U] No data found for: login.microsoftonline.com. type A ;;[S] self sig OK; [B] bogus; [T] trusted [ns1 domain]$ [ns1 domain]$ drill -DT medicare.gov Warning: No trusted keys were given. Will not be able to verify authenticity! ;; Domain: . ;; Signature ok but no chain to a trusted key or ds record [S] . 172800 IN DNSKEY 256 3 8 ;{id = 62530 (zsk), size = 1024b} . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b} Checking if signing key is trusted: New key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b} [S] gov. 86400 IN DS 7698 8 1 6f109b46a80cea9613dc86d5a3e065520505aafe gov. 86400 IN DS 7698 8 2 6bc949e638442ead0bdaf0935763c8d003760384ff15ebbd5ce86bb5559561f0 ;; Domain: gov. ;; Signature ok but no chain to a trusted key or ds record [S] gov. 86400 IN DNSKEY 256 3 8 ;{id = 13175 (zsk), size = 1024b} gov. 86400 IN DNSKEY 257 3 8 ;{id = 7698 (ksk), size = 2048b} Checking if signing key is trusted: New key: gov. 86400 IN DNSKEY 256 3 8 AQPCY4NZARQ0HDzGismy6sZdJ17o2+yzmZSkw6d9PeeJ8NCnw9atj4PGHO50LX1Hy0n4YimUcDEXHu+sI4MBaeTkHY3ilsC2kpWGGOFW2fkXn6XNvvPVRjwk04hDsEFphOXPPdoXWjXtQiTVYkFpgUbxJYo24/JxM5JuC4v0+qDmLQ== ;{id = 13175 (zsk), size = 1024b} [S] medicare.gov. 3600 IN DS 16500 7 1 ea88786ecaa04e66322e4405b1c1a55e31485281 medicare.gov. 3600 IN DS 16500 7 2 43a0e12df89bb342c15229495cd2bc18dddce0d9fb315aeb5b06b0d849b9a3ee ;; Domain: medicare.gov. ;; Signature ok but no chain to a trusted key or ds record [S] medicare.gov. 7200 IN DNSKEY 256 3 7 ;{id = 58988 (zsk), size = 1024b} medicare.gov. 7200 IN DNSKEY 256 3 7 ;{id = 41714 (zsk), size = 1024b} medicare.gov. 7200 IN DNSKEY 257 3 7 ;{id = 16500 (ksk), size = 2048b} [S] medicare.gov. 20 IN A 23.213.71.152 ;;[S] self sig OK; [B] bogus; [T] trusted --- Bruce Curtis bruce.curtis@ndsu.edu Certified NetAnalyst II 701-231-8527 North Dakota State University