>> Based on a Microsoft tech support case that I opened, the only way to fix
>> this was to turn off EDNS ("dnscmd /config /EnableEDnsProbes 0").
>> This also seems to have been fixed in Windows Server 2012.
> What a bummer, this essentially stops anyone from using DNSSEC validation
> correctly on R2. And while DNSSEC validation is a useful utility, what
> concerns me more is the inability for other organizations / entities to be
> able to look up our DNSSEC signed zones, especially with the fact that IPv6
> is enabled by default on R2, causing unanticipated service failures for these
> organizations / entities.
I think the best bet with Windows Server 2008 R2 DNS is to disable recursion,
turn off EDNS ("dnscmd /config /EnableEDnsProbes 0"), and continue to use one
or more DNSSEC-enabled BIND 9 recursive resolvers as a forwarders ("options {
dnssec-validation auto; allow-query { domain-controllers; }; allow-recursion {
domain-controllers; }; };"). If you do this, querying the domain controller
with "dig badsign-A.test.dnssec-tools.org" does return a proper SERVFAIL
response. DNSSEC-validation is being performed by the BIND resolver, but this
is transparent to the Windows environment.
I have continued to do things this way with my Windows Server 2012 domain
controllers, although as you pointed out, it hasn't been necessary to disable
EDNS since the CD flag in queries from the domain controller to the forwarders
is cleared by default in this version.
Back to your original question, I have a Windows Server 2008 R2 test VM
available and so built a domain controller and attempted to confirm your
findings with dig, shown below. All four dig queries returned NOERROR. The
query "dig mx2.comcast.com srv +dnssec" caused the domain controller to query
the forwarder, which returned the Authority records in the order shown below.
This was confirmed by Wireshark, and is the same order as shown in your queries
posted earlier. If I understand you correctly, this contradicts your hypothesis
that Windows Server 2008 R2 DNS requires that the SOA record be returned first
in the Authority section to avoid a SERVFAIL response.
Regards, Jeff.
--------------------
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.
PS C:\> dig mx2.comcast.com srv +dnssec
; <<>> DiG 9.9.3 <<>> mx2.comcast.com srv +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32036
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;mx2.comcast.com. IN SRV
;; AUTHORITY SECTION:
mx2.comcast.com. 60 IN NSEC mx3.comcast.com. A RRSIG NSEC
mx2.comcast.com. 3600 IN RRSIG NSEC 5 3 3600 20130711200520
20130704170020 2643 comcast.com. pmOHJX7dSN
uFSRiFvxNIIuhQk/Sh6/9xSiZ2wj2I6RDKkrQlDScdFjDB
nSpeWt9068Wq+aQE36dbTsvyyCKgtrPcJIUxKVCtsXzTavXdx9XVGwG9 cKF6TrQx+MGPRwRw
jPorDmPJxImveGMeE7X4Nl1mkGk/lRJwbvk1yFWV w1w=
;; Query time: 124 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul 07 15:46:43 Eastern Daylight Time 2013
;; MSG SIZE rcvd: 252
PS C:\> dig '@2001:4870:20ca:158:8c2f:b9ff:31f7:3836' mx2.comcast.com srv
+dnssec
; <<>> DiG 9.9.3 <<>> @2001:4870:20ca:158:8c2f:b9ff:31f7:3836 mx2.comcast.com
srv +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48676
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mx2.comcast.com. IN SRV
;; AUTHORITY SECTION:
mx2.comcast.com. 3600 IN RRSIG NSEC 5 3 3600 20130711200520
20130704170020 2643 comcast.com. pmOHJX7dSN
uFSRiFvxNIIuhQk/Sh6/9xSiZ2wj2I6RDKkrQlDScdFjDB
nSpeWt9068Wq+aQE36dbTsvyyCKgtrPcJIUxKVCtsXzTavXdx9XVGwG9 cKF6TrQx+MGPRwRw
jPorDmPJxImveGMeE7X4Nl1mkGk/lRJwbvk1yFWV w1w=
mx2.comcast.com. 3600 IN NSEC mx3.comcast.com. A RRSIG NSEC
comcast.com. 3600 IN SOA dns101.comcast.net.
domregtech.comcastonline.com. 2009085823 7200 3600 1
209600 3600
comcast.com. 3600 IN RRSIG SOA 5 2 3600 20130711200520
20130704170020 2643 comcast.com. Te6jKcUXakW
pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni
QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6
zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s=
;; Query time: 78 msec
;; SERVER:
2001:4870:20ca:158:8c2f:b9ff:31f7:3836#53(2001:4870:20ca:158:8c2f:b9ff:31f7:3836)
;; WHEN: Sun Jul 07 15:48:32 Eastern Daylight Time 2013
;; MSG SIZE rcvd: 502
PS C:\> dig bat.comcast.com srv +dnssec
; <<>> DiG 9.9.3 <<>> bat.comcast.com srv +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49117
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;bat.comcast.com. IN SRV
;; AUTHORITY SECTION:
comcast.com. 900 IN SOA dns101.comcast.net.
domregtech.comcastonline.com. 2009085823 7200 3600 1
209600 3600
comcast.com. 900 IN RRSIG SOA 5 2 3600 20130711200520
20130704170020 2643 comcast.com. Te6jKcUXakW
pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni
QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6
zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s=
awrelaypool02.comcast.com. 900 IN NSEC www.bat.comcast.com. A RRSIG
NSEC
;; Query time: 62 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul 07 15:48:49 Eastern Daylight Time 2013
;; MSG SIZE rcvd: 349
PS C:\> dig '@2001:4870:20ca:158:8c2f:b9ff:31f7:3836' bat.comcast.com srv
+dnssec
; <<>> DiG 9.9.3 <<>> @2001:4870:20ca:158:8c2f:b9ff:31f7:3836 bat.comcast.com
srv +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30832
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bat.comcast.com. IN SRV
;; AUTHORITY SECTION:
comcast.com. 3600 IN SOA dns101.comcast.net.
domregtech.comcastonline.com. 2009085823 7200 3600 1
209600 3600
comcast.com. 3600 IN RRSIG SOA 5 2 3600 20130711200520
20130704170020 2643 comcast.com. Te6jKcUXakW
pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni
QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6
zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s=
awrelaypool02.comcast.com. 3600 IN RRSIG NSEC 5 3 3600 20130711200520
20130704170020 2643 comcast.com. U87nbvAj7j
7pAk4kigqMyVy8XDeHqRP9756PTQsucrRTEchtScfBKWLl
Eo7cWJc4Vcsfept+ixg0IiAxpwHATqwNTmq/giAeglFfeFmMHlXrhdOl Bl5myReo1gSXlpm0
+bvinOFRek/MUlYGLvDAq17noJag2k1oXrvhaNBo qWo=
awrelaypool02.comcast.com. 3600 IN NSEC www.bat.comcast.com. A RRSIG
NSEC
;; Query time: 78 msec
;; SERVER:
2001:4870:20ca:158:8c2f:b9ff:31f7:3836#53(2001:4870:20ca:158:8c2f:b9ff:31f7:3836)
;; WHEN: Sun Jul 07 15:49:05 Eastern Daylight Time 2013
;; MSG SIZE rcvd: 520
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
