Microsoft officially doesn’t do DNSSEC. (or at least not now anyway) Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool<http://www.microsoft.com/en-us/download/details.aspx?id=18275> ?
From: Franck Martin [mailto:fmar...@linkedin.com] Sent: Wednesday, May 4, 2016 4:20 PM To: Rob Heilman <rheil...@echolabs.net> Cc: Michael Wise <michael.w...@microsoft.com>; mailop@mailop.org Subject: Re: [mailop] DNS Errors for Microsoft Hostnames I like to use this tool to tell me everything... I used it on the first domain, told me there are 2 errors: http://dnsviz.net/d/alleghenycourts-us.mail.protection.outlook.com/dnssec/ On Wed, May 4, 2016 at 8:45 AM, Rob Heilman <rheil...@echolabs.net<mailto:rheil...@echolabs.net>> wrote: Got a fresh batch of DNS failures in the logs. Below is a sampling. From the BIND source code resolver.c: } else if (result != ISC_R_SUCCESS) { /* * Something bad happened. */ fctx_done(fctx, result, __LINE__); return; } Has anyone seen this before or know what might be happening? If not I will try to escalate to ISC to see if they can help diagnose. -Rob Heilman 04-May-2016 09:46:22.236 query-errors: debug 1: client 10.10.10.95#44080 (alleghenycourts-us.mail.protection.outlook.com<http://alleghenycourts-us.mail.protection.outlook.com>): query failed (SERVFAIL) for alleghenycourts-us.mail.protection.outlook.com/IN/A<http://alleghenycourts-us.mail.protection.outlook.com/IN/A> at query.c:7004 04-May-2016 09:46:22.236 query-errors: debug 1: client 10.10.10.95#44080 (courts-phila-gov.mail.protection.outlook.com<http://courts-phila-gov.mail.protection.outlook.com>): query failed (SERVFAIL) for courts-phila-gov.mail.protection.outlook.com/IN/A<http://courts-phila-gov.mail.protection.outlook.com/IN/A> at query.c:7004 04-May-2016 09:46:22.236 query-errors: debug 2: fetch completed at resolver.c:3074 for alleghenycourts-us.mail.protection.outlook.com/A<http://alleghenycourts-us.mail.protection.outlook.com/A> in 0.000122: failure/success [domain:mail.protection.outlook.com<http://mail.protection.outlook.com>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] 04-May-2016 09:46:22.236 query-errors: debug 2: fetch completed at resolver.c:3074 for courts-phila-gov.mail.protection.outlook.com/A<http://courts-phila-gov.mail.protection.outlook.com/A> in 0.000272: failure/success [domain:mail.protection.outlook.com<http://mail.protection.outlook.com>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] 04-May-2016 09:46:49.389 query-errors: debug 1: client 10.10.10.96#48950 (petersoncpa-com02b.mail.protection.outlook.com<http://petersoncpa-com02b.mail.protection.outlook.com>): query failed (SERVFAIL) for petersoncpa-com02b.mail.protection.outlook.com/IN/A<http://petersoncpa-com02b.mail.protection.outlook.com/IN/A> at query.c:7004 04-May-2016 09:46:49.389 query-errors: debug 2: fetch completed at resolver.c:3074 for petersoncpa-com02b.mail.protection.outlook.com/A<http://petersoncpa-com02b.mail.protection.outlook.com/A> in 0.000078: failure/success [domain:mail.protection.outlook.com<http://mail.protection.outlook.com>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] 04-May-2016 09:47:22.030 query-errors: debug 1: client 10.10.10.96#48950 (supervaluinc.mail.protection.outlook.com<http://supervaluinc.mail.protection.outlook.com>): query failed (SERVFAIL) for supervaluinc.mail.protection.outlook.com/IN/A<http://supervaluinc.mail.protection.outlook.com/IN/A> at query.c:7004 04-May-2016 09:47:22.030 query-errors: debug 2: fetch completed at resolver.c:3074 for supervaluinc.mail.protection.outlook.com/A<http://supervaluinc.mail.protection.outlook.com/A> in 0.000084: failure/success [domain:mail.protection.outlook.com<http://mail.protection.outlook.com>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] 04-May-2016 09:47:25.817 query-errors: debug 1: client 10.10.10.96#48950 (casella-com.mail.protection.outlook.com<http://casella-com.mail.protection.outlook.com>): query failed (SERVFAIL) for casella-com.mail.protection.outlook.com/IN/A<http://casella-com.mail.protection.outlook.com/IN/A> at query.c:7004 04-May-2016 09:47:25.817 query-errors: debug 2: fetch completed at resolver.c:3074 for casella-com.mail.protection.outlook.com/A<http://casella-com.mail.protection.outlook.com/A> in 0.000092: failure/success [domain:mail.protection.outlook.com<http://mail.protection.outlook.com>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] 04-May-2016 09:47:26.792 query-errors: debug 1: client 10.10.10.95#44080 (ghscoslaw-com.mail.protection.outlook.com<http://ghscoslaw-com.mail.protection.outlook.com>): query failed (SERVFAIL) for ghscoslaw-com.mail.protection.outlook.com/IN/A<http://ghscoslaw-com.mail.protection.outlook.com/IN/A> at query.c:7004 04-May-2016 09:47:26.792 query-errors: debug 2: fetch completed at resolver.c:3074 for ghscoslaw-com.mail.protection.outlook.com/A<http://ghscoslaw-com.mail.protection.outlook.com/A> in 0.000093: failure/success [domain:mail.protection.outlook.com<http://mail.protection.outlook.com>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] 04-May-2016 09:47:27.855 query-errors: debug 1: client 10.10.10.95#44080 (casella-com.mail.protection.outlook.com<http://casella-com.mail.protection.outlook.com>): query failed (SERVFAIL) for casella-com.mail.protection.outlook.com/IN/A<http://casella-com.mail.protection.outlook.com/IN/A> at query.c:7004 04-May-2016 09:47:27.855 query-errors: debug 2: fetch completed at resolver.c:3074 for casella-com.mail.protection.outlook.com/A<http://casella-com.mail.protection.outlook.com/A> in 0.000090: failure/success [domain:mail.protection.outlook.com<http://mail.protection.outlook.com>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] 04-May-2016 09:47:55.476 query-errors: debug 1: client 10.10.10.95#44080 (slcccpa-com.mail.protection.outlook.com<http://slcccpa-com.mail.protection.outlook.com>): query failed (SERVFAIL) for slcccpa-com.mail.protection.outlook.com/IN/A<http://slcccpa-com.mail.protection.outlook.com/IN/A> at query.c:7004 04-May-2016 09:47:55.477 query-errors: debug 2: fetch completed at resolver.c:3074 for slcccpa-com.mail.protection.outlook.com/A<http://slcccpa-com.mail.protection.outlook.com/A> in 0.000079: failure/success [domain:mail.protection.outlook.com<http://mail.protection.outlook.com>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] 04-May-2016 09:47:58.769 query-errors: debug 1: client 10.10.10.95#44080 (dnvgl-com.mail.protection.outlook.com<http://dnvgl-com.mail.protection.outlook.com>): query failed (SERVFAIL) for dnvgl-com.mail.protection.outlook.com/IN/A<http://dnvgl-com.mail.protection.outlook.com/IN/A> at query.c:7004 04-May-2016 09:47:58.769 query-errors: debug 2: fetch completed at resolver.c:3074 for dnvgl-com.mail.protection.outlook.com/A<http://dnvgl-com.mail.protection.outlook.com/A> in 0.000075: failure/success [domain:mail.protection.outlook.com<http://mail.protection.outlook.com>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] 04-May-2016 09:47:58.771 query-errors: debug 1: client 10.10.10.95#44080 (pennsylvanianetworks-com.mail.protection.outlook.com<http://pennsylvanianetworks-com.mail.protection.outlook.com>): query failed (SERVFAIL) for pennsylvanianetworks-com.mail.protection.outlook.com/IN/A<http://pennsylvanianetworks-com.mail.protection.outlook.com/IN/A> at query.c:7004 04-May-2016 09:47:58.771 query-errors: debug 2: fetch completed at resolver.c:3074 for pennsylvanianetworks-com.mail.protection.outlook.com/A<http://pennsylvanianetworks-com.mail.protection.outlook.com/A> in 0.000109: failure/success [domain:mail.protection.outlook.com<http://mail.protection.outlook.com>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] 04-May-2016 09:48:05.128 query-errors: debug 1: client 10.10.10.96#48950 (AllianceTrucks-com.mail.protection.outlook.com<http://alliancetrucks-com.mail.protection.outlook.com>): query failed (SERVFAIL) for AllianceTrucks-com.mail.protection.outlook.com/IN/A<http://alliancetrucks-com.mail.protection.outlook.com/IN/A> at query.c:7004 04-May-2016 09:48:05.128 query-errors: debug 2: fetch completed at resolver.c:3074 for AllianceTrucks-com.mail.protection.outlook.com/A<http://alliancetrucks-com.mail.protection.outlook.com/A> in 0.000092: failure/success [domain:mail.protection.outlook.com<http://mail.protection.outlook.com>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] 04-May-2016 09:48:06.028 query-errors: debug 1: client 10.10.10.96#48950 (allianceretail-com.mail.protection.outlook.com<http://allianceretail-com.mail.protection.outlook.com>): query failed (SERVFAIL) for allianceretail-com.mail.protection.outlook.com/IN/A<http://allianceretail-com.mail.protection.outlook.com/IN/A> at query.c:7004 04-May-2016 09:48:06.028 query-errors: debug 2: fetch completed at resolver.c:3074 for allianceretail-com.mail.protection.outlook.com/A<http://allianceretail-com.mail.protection.outlook.com/A> in 0.000085: failure/success [domain:mail.protection.outlook.com<http://mail.protection.outlook.com>,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] On Apr 29, 2016, at 10:27 AM, Rob Heilman <rheil...@echolabs.net<mailto:rheil...@echolabs.net>> wrote: I have increased query-errors logging in BIND to level 10. Hopefully that will give us more to work with when the problem re-occurs. Hopefully all the invalid PTRs won’t cause these logs to melt the boxes. -Rob Heilman On Apr 28, 2016, at 5:56 PM, Michael Wise <michael.w...@microsoft.com<mailto:michael.w...@microsoft.com>> wrote: So is the FORMERR ... just the resolver noting that EDNS is not supported? If so, I'm uncertain of the issue. We don't use EDNS here, so that's what the “our” servers should be doing, yes? Also, when I replied (“ALL”) to this thread a bit earlier, my response was bounced by one particular recipient with: Error Details Reported error: 550 5.7.1 Mail rejected - dcc score 1000 Retry count: 1 DSN generated by: BY2PR03MB409.namprd03.prod.outlook.com<http://by2pr03mb409.namprd03.prod.outlook.com/> Remote server: * Traffic to a mailinglist is scored with DCC? Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -----Original Message----- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Carl Byington Sent: Thursday, April 28, 2016 2:16 PM To: mailop@mailop.org<mailto:mailop@mailop.org> Subject: Re: [mailop] DNS Errors for Microsoft Hostnames -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, 2016-04-28 at 20:57 +0000, Michael Wise wrote: > If the "Aware" flag expired, would best practice not be to check that > first rather than presuppose that the facility does exist? The check for "edns aware" involves sending the query with edns extensions. If the reply is formerr (or possibly others?), then you can remember that this server does not understand edns, and repeat the query without it. If you just do the first query without edns, there is no mechanism to then learn that that server does indeed understand edns. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlcifY8ACgkQL6j7milTFsEyTgCfbLe36v3LuECg+Ma4/mjxq52c C9oAnjFeZYZjl2//eCsWM3NvkeWwthUy =H2pv -----END PGP SIGNATURE----- _______________________________________________ mailop mailing list mailop@mailop.org<mailto:mailop@mailop.org> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org<mailto:mailop@mailop.org> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org<mailto:mailop@mailop.org> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org<mailto:mailop@mailop.org> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop