> On Oct 27, 2015, at 3:37 PM, Bruce Curtis <bruce.cur...@ndsu.edu> wrote: > > >> On Oct 27, 2015, at 12:35 PM, Tony Finch <d...@dotat.at> wrote: >> >> Bruce Curtis <bruce.cur...@ndsu.edu> wrote: >>> >>> FYI our DNS requests to resolve login.microsoftonline.com are failing >>> because of a DNSSEC error. >> >> There's no DS record for microsoftonline.com so you shouldn't have any >> DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't >> show any problems. The only thing which might cause trouble is the >> SERVFAIL responses to DNSKEY queries flagged by the Verisign DNSSEC >> debugger. > > > DNSvis did list 4 errors earlier. > > 4 recursive DNS servers here still fail to resolve login.microsoftonline.com. > > I turned DNSSEC validation off on one and it then resolved correctly. > > dnssec-validation no; > > Thanks for the info. Our customers have reported that it does resolve at > the Google public DNS servers also.
Drill run on one of our name servers shows that the error is Existence denied: microsoftonline.com [ns1 domain]$ drill -k /tmp/rootkey -DT login.microsoftonline.com ;; Number of trusted keys: 2 ;; Domain: . [T] . 172800 IN DNSKEY 256 3 8 ;{id = 62530 (zsk), size = 1024b} . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b} Checking if signing key is trusted: New key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b} Trusted key: . 143619 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b} Key is now trusted! Trusted key: . 143619 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b} Key is now trusted! Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} [T] com. 86400 IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766 ;; Domain: com. [T] com. 86400 IN DNSKEY 256 3 8 ;{id = 51797 (zsk), size = 1024b} com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b} [T] Existence denied: microsoftonline.com. DS ;; No ds record for delegation ;; Domain: microsoftonline.com. ;; No DNSKEY record found for microsoftonline.com. ;; No DS for login.microsoftonline.com.;; No ds record for delegation ;; Domain: login.microsoftonline.com. ;; No DNSKEY record found for login.microsoftonline.com. [U] No data found for: login.microsoftonline.com. type A ;;[S] self sig OK; [B] bogus; [T] trusted > >> http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com >>> >>> http://dnsviz.net/d/login.microsoftonline.com/dnssec/ >> >> Tony. >> -- >> f.anthony.n.finch <d...@dotat.at> http://dotat.at/ >> Fitzroy, Sole: Cyclonic, mainly southwesterly, 5 to 7, occasionally gale 8 in >> west Fitzroy. Very rough or high, becoming rough in Sole. Rain or thundery >> showers. Moderate or poor, occasionally good. > > --- > Bruce Curtis bruce.cur...@ndsu.edu > Certified NetAnalyst II 701-231-8527 > North Dakota State University > --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II 701-231-8527 North Dakota State University