Re: [dns-operations] mail.protection.outlook.com has EDNS issues

[Paul Vixie via dns-operations]

--- Begin Message ---



Matthew Richardson wrote on 2022-07-06 07:52:

...

Alternatively, is this the sort of issue in which DNS-OARC could become
involved by way of outreach to MS about the problems?  The lack of EDNS0
will probably become an increasing problem over time.  This DNS setup is
used for ALL email to Office365 business users, which is not a small
quantity.


https://github.com/dns-violations/dns-violations

https://ednscomp.isc.org/

--
P Vixie

--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] mail.protection.outlook.com has EDNS issues

[Matthew Richardson]

Aside from today's outage, the DNS for mail.protetion.office.com seems to
have been very poor for a long time.  As an example from 2020, Brian Somers
lamented its state:-

https://lists.dns-oarc.net/pipermail/dns-operations/2020-April/020124.html

The scale of the general problem (after this fault has been fixed) can be
seen at:-

https://www.zonemaster.fr/result/e46bf2d6d1d70989

As MS is a Silver member of DNS-OARC, are there any MS folks on here who
might be involved with the authoratitive side of
mail.protection.office.com, or who might be able to get the issue raised
internally at MS?

Alternatively, is this the sort of issue in which DNS-OARC could become
involved by way of outreach to MS about the problems?  The lack of EDNS0
will probably become an increasing problem over time.  This DNS setup is
used for ALL email to Office365 business users, which is not a small
quantity.

--
Best wishes,
Matthew
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] mail.protection.outlook.com has EDNS issues

[Stephane Bortzmeyer]

The authoritative name servers for mail.protection.outlook.com
apparently don't reply if you use EDNS. And it seems many resolvers
don't fallback on old-DNS (and rightly so). Seen from the RIPE Atlas
probes, many resolvers cannot resolve names under
mail.protection.outlook.com (here, the MX of cybercampus.fr):

% blaeu-resolve --type A -r 500 campuscyber-fr.mail.protection.outlook.com
[104.47.24.36 104.47.25.36] : 298 occurrences 
[ERROR: SERVFAIL] : 138 occurrences 
[] : 2 occurrences 
Test #4162 done at 2022-07-06T09:25:50Z

% dig @ns1-proddns.glbdns.o365filtering.com. NS  mail.protection.outlook.com

; <<>> DiG 9.16.1-Ubuntu <<>> @ns1-proddns.glbdns.o365filtering.com. NS 
mail.protection.outlook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 64702
;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; WARNING: EDNS query returned status FORMERR - retry with '+nodnssec +noedns'

;; Query time: 43 msec
;; SERVER: 104.47.16.17#53(104.47.16.17)
;; WHEN: mer. juil. 06 11:22:28 CEST 2022
;; MSG SIZE  rcvd: 12

~ % dig +nodnssec +noedns +bufsize=0 +nocookie 
@ns1-proddns.glbdns.o365filtering.com. NS  mail.protection.outlook.com

; <<>> DiG 9.16.1-Ubuntu <<>> +nodnssec +noedns +bufsize +nocookie 
@ns1-proddns.glbdns.o365filtering.com. NS mail.protection.outlook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52148
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mail.protection.outlook.com. INNS

;; ANSWER SECTION:
mail.protection.outlook.com. 10 IN NS ns1-proddns.glbdns.o365filtering.com.
mail.protection.outlook.com. 10 IN NS ns2-proddns.glbdns.o365filtering.com.

;; Query time: 47 msec
;; SERVER: 104.47.16.17#53(104.47.16.17)
;; WHEN: mer. juil. 06 11:22:50 CEST 2022
;; MSG SIZE  rcvd: 199
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations