On Oct 27, 2015, at 12:35 PM, Tony Finch <dot@dotat.at> wrote:
Bruce Curtis <bruce.curtis@ndsu.edu> wrote:
FYI our DNS requests to resolve login.microsoftonline.com are failing because of a DNSSEC error.
There's no DS record for microsoftonline.com so you shouldn't have any DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't show any problems. The only thing which might cause trouble is the SERVFAIL responses to DNSKEY queries flagged by the Verisign DNSSEC debugger.
DNSvis did list 4 errors earlier. 4 recursive DNS servers here still fail to resolve login.microsoftonline.com. I turned DNSSEC validation off on one and it then resolved correctly. dnssec-validation no; Thanks for the info. Our customers have reported that it does resolve at the Google public DNS servers also.
http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com
Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Fitzroy, Sole: Cyclonic, mainly southwesterly, 5 to 7, occasionally gale 8 in west Fitzroy. Very rough or high, becoming rough in Sole. Rain or thundery showers. Moderate or poor, occasionally good.
--- Bruce Curtis bruce.curtis@ndsu.edu Certified NetAnalyst II 701-231-8527 North Dakota State University