On Wed, 2022-07-06 at 11:49 +0200, Stephane Bortzmeyer wrote:
On Wed, Jul 06, 2022 at 11:37:40AM +0200, Bjoern Franke via NANOG <nanog@nanog.org> wrote a message of 10 lines which said:
<tenant>.mail.protection.outlook.com seems to throw servfails.
The authoritative name servers for this domain do not handle EDNS (which was specified only 23 years ago) so the resolvers that do not fallback on EDNS (probably the majority) return a SERVFAIL.
While it is true that their auths do not handle EDNS, they cover that by responding with FORMERR without an EDNS section. All resolvers should in fact fall back.
From what I can tell, the real problem is that these servers barely respond at all - so little that it's easy to conclude that EDNS is the reason, but without EDNS responses are just as sporadic.
So, in short, they have a DNS responding problem; their bad handling of EDNS makes that worse, because now a resolver needs to get two queries (one with EDNS, then one without) through to them before resolving something - and then it is rewarded with a 10 second TTL! Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/