> On Oct 27, 2015, at 3:37 PM, Bruce Curtis <[email protected]> wrote:
>
>
>> On Oct 27, 2015, at 12:35 PM, Tony Finch <[email protected]> wrote:
>>
>> Bruce Curtis <[email protected]> wrote:
>>>
>>> FYI our DNS requests to resolve login.microsoftonline.com are failing
>>> because of a DNSSEC error.
>>
>> There's no DS record for microsoftonline.com so you shouldn't have any
>> DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't
>> show any problems. The only thing which might cause trouble is the
>> SERVFAIL responses to DNSKEY queries flagged by the Verisign DNSSEC
>> debugger.
>
>
> DNSvis did list 4 errors earlier.
>
> 4 recursive DNS servers here still fail to resolve login.microsoftonline.com.
>
> I turned DNSSEC validation off on one and it then resolved correctly.
>
> dnssec-validation no;
>
> Thanks for the info. Our customers have reported that it does resolve at
> the Google public DNS servers also.
Drill run on one of our name servers shows that the error is
Existence denied: microsoftonline.com
[ns1 domain]$ drill -k /tmp/rootkey -DT login.microsoftonline.com
;; Number of trusted keys: 2
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id = 62530 (zsk), size = 1024b}
. 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: . 172800 IN DNSKEY 256 3 8
AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl
;{id = 62530 (zsk), size = 1024b}
Trusted key: . 143619 IN DNSKEY 256 3 8
AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl
;{id = 62530 (zsk), size = 1024b}
Key is now trusted!
Trusted key: . 143619 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8
AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl
;{id = 62530 (zsk), size = 1024b}
Key is now trusted!
Trusted key: . 172800 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
[T] com. 86400 IN DS 30909 8 2
e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766
;; Domain: com.
[T] com. 86400 IN DNSKEY 256 3 8 ;{id = 51797 (zsk), size = 1024b}
com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b}
[T] Existence denied: microsoftonline.com. DS
;; No ds record for delegation
;; Domain: microsoftonline.com.
;; No DNSKEY record found for microsoftonline.com.
;; No DS for login.microsoftonline.com.;; No ds record for delegation
;; Domain: login.microsoftonline.com.
;; No DNSKEY record found for login.microsoftonline.com.
[U] No data found for: login.microsoftonline.com. type A
;;[S] self sig OK; [B] bogus; [T] trusted
>
>> http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com
>>>
>>> http://dnsviz.net/d/login.microsoftonline.com/dnssec/
>>
>> Tony.
>> --
>> f.anthony.n.finch <[email protected]> http://dotat.at/
>> Fitzroy, Sole: Cyclonic, mainly southwesterly, 5 to 7, occasionally gale 8 in
>> west Fitzroy. Very rough or high, becoming rough in Sole. Rain or thundery
>> showers. Moderate or poor, occasionally good.
>
> ---
> Bruce Curtis [email protected]
> Certified NetAnalyst II 701-231-8527
> North Dakota State University
>
---
Bruce Curtis [email protected]
Certified NetAnalyst II 701-231-8527
North Dakota State University
