subject:"Microsoft your DNS servers are broken"

Re: Microsoft your DNS servers are broken

2018-09-11 Thread Mehmet Akcin

I have forwarded this to my contacts at Microsoft.

On Tue, Sep 11, 2018 at 12:06 AM Mark Andrews  wrote:

> While we are talking about DNS server that are broken, Microsoft your
> servers are as well.  As none
> of the zones you serve are DNSSEC signed there isn’t as much breakage
> possible but there are still
> interoperability problems and unnecessary additional traffic.  It’s not
> like the EDNS specification
> is complicated.
>
> The microsoftonline servers will cause DNSSEC validation to fail if they
> ever serve a DNSSEC signed
> zone in this state.  The FORMERR will cause EDNS servers to fallback to
> plain DNS and the validators
> won’t get the records they need.
>
> The azure servers cause problems for anyone deploying a new EDNS options
> as they have to cope with
> your servers incorrectly echoing back the option.  Additionally if EDNS(1)
> is ever deployed there is
> a good chance that resolvers will assume the broken answers indicate that
> there is no data at the
> name.
>
> Mark
>
> cityofharrison-mi.gov. @207.46.15.59 (ns1.bdm.microsoftonline.com.):
> dns=ok edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed
> edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok
> optlist=formerr,subnet signed=ok ednstcp=ok
> cityofharrison-mi.gov. @2a01:111:f406:1804::59 (
> ns1.bdm.microsoftonline.com.): dns=ok edns=ok edns1=ok edns@512=ok
> ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok
> ednsflags=ok optlist=formerr,subnet signed=ok ednstcp=ok
> cityofharrison-mi.gov. @191.232.83.138 (ns3.bdm.microsoftonline.com.):
> dns=ok edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed
> edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok
> optlist=formerr,subnet signed=ok ednstcp=ok
> cityofharrison-mi.gov. @2a01:111:f406:b400::22 (
> ns3.bdm.microsoftonline.com.): dns=ok edns=ok edns1=ok edns@512=ok
> ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok
> ednsflags=ok optlist=formerr,subnet signed=ok ednstcp=ok
> cityofharrison-mi.gov. @157.56.81.41 (ns2.bdm.microsoftonline.com.):
> dns=ok edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed
> edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok
> optlist=formerr,subnet signed=ok ednstcp=ok
> cityofharrison-mi.gov. @2a01:111:f406:3403::41 (
> ns2.bdm.microsoftonline.com.): dns=ok edns=ok edns1=ok edns@512=ok
> ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok
> ednsflags=ok optlist=formerr,subnet signed=ok ednstcp=ok
>
> clintoncounty-ia.gov. @13.107.24.7 (ns3-07.azure-dns.org.): dns=ok
> edns=ok edns1=noerror,badversion edns@512=ok ednsopt=echoed
> edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
> ednstcp=ok
> clintoncounty-ia.gov. @2a01:111:4000::7 (ns3-07.azure-dns.org.): dns=ok
> edns=ok edns1=noerror,badversion edns@512=ok ednsopt=echoed
> edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
> ednstcp=ok
> clintoncounty-ia.gov. @13.107.160.7 (ns4-07.azure-dns.info.): dns=ok
> edns=ok edns1=noerror,badversion edns@512=ok ednsopt=echoed
> edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
> ednstcp=ok
> clintoncounty-ia.gov. @2620:1ec:bda::7 (ns4-07.azure-dns.info.): dns=ok
> edns=ok edns1=noerror,badversion edns@512=ok ednsopt=echoed
> edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
> ednstcp=ok
> clintoncounty-ia.gov. @64.4.48.7 (ns2-07.azure-dns.net.): dns=ok edns=ok
> edns1=noerror,badversion edns@512=ok ednsopt=echoed
> edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
> ednstcp=ok
> clintoncounty-ia.gov. @2620:1ec:8ec::7 (ns2-07.azure-dns.net.): dns=ok
> edns=ok edns1=noerror,badversion edns@512=ok ednsopt=echoed
> edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
> ednstcp=ok
> clintoncounty-ia.gov. @40.90.4.7 (ns1-07.azure-dns.com.): dns=ok edns=ok
> edns1=noerror,badversion edns@512=ok ednsopt=echoed
> edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
> ednstcp=ok
> clintoncounty-ia.gov. @2603:1061::7 (ns1-07.azure-dns.com.): dns=ok
> edns=ok edns1=noerror,badversion edns@512=ok ednsopt=echoed
> edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
> ednstcp=ok
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> 
> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
>
> --
Mehmet
+1-424-298-1903

Microsoft your DNS servers are broken

2018-09-11 Thread Mark Andrews

While we are talking about DNS server that are broken, Microsoft your servers 
are as well.  As none
of the zones you serve are DNSSEC signed there isn’t as much breakage possible 
but there are still
interoperability problems and unnecessary additional traffic.  It’s not like 
the EDNS specification
is complicated.

The microsoftonline servers will cause DNSSEC validation to fail if they ever 
serve a DNSSEC signed
zone in this state.  The FORMERR will cause EDNS servers to fallback to plain 
DNS and the validators
won’t get the records they need.

The azure servers cause problems for anyone deploying a new EDNS options as 
they have to cope with
your servers incorrectly echoing back the option.  Additionally if EDNS(1) is 
ever deployed there is
a good chance that resolvers will assume the broken answers indicate that there 
is no data at the
name.

Mark

cityofharrison-mi.gov. @207.46.15.59 (ns1.bdm.microsoftonline.com.): dns=ok 
edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed 
edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok 
optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @2a01:111:f406:1804::59 (ns1.bdm.microsoftonline.com.): 
dns=ok edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed 
edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok 
optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @191.232.83.138 (ns3.bdm.microsoftonline.com.): dns=ok 
edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed 
edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok 
optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @2a01:111:f406:b400::22 (ns3.bdm.microsoftonline.com.): 
dns=ok edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed 
edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok 
optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @157.56.81.41 (ns2.bdm.microsoftonline.com.): dns=ok 
edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed 
edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok 
optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @2a01:111:f406:3403::41 (ns2.bdm.microsoftonline.com.): 
dns=ok edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed 
edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok 
optlist=formerr,subnet signed=ok ednstcp=ok

clintoncounty-ia.gov. @13.107.24.7 (ns3-07.azure-dns.org.): dns=ok edns=ok 
edns1=noerror,badversion edns@512=ok ednsopt=echoed edns1opt=noerror,badversion 
do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @2a01:111:4000::7 (ns3-07.azure-dns.org.): dns=ok edns=ok 
edns1=noerror,badversion edns@512=ok ednsopt=echoed edns1opt=noerror,badversion 
do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @13.107.160.7 (ns4-07.azure-dns.info.): dns=ok edns=ok 
edns1=noerror,badversion edns@512=ok ednsopt=echoed edns1opt=noerror,badversion 
do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @2620:1ec:bda::7 (ns4-07.azure-dns.info.): dns=ok edns=ok 
edns1=noerror,badversion edns@512=ok ednsopt=echoed edns1opt=noerror,badversion 
do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @64.4.48.7 (ns2-07.azure-dns.net.): dns=ok edns=ok 
edns1=noerror,badversion edns@512=ok ednsopt=echoed edns1opt=noerror,badversion 
do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @2620:1ec:8ec::7 (ns2-07.azure-dns.net.): dns=ok edns=ok 
edns1=noerror,badversion edns@512=ok ednsopt=echoed edns1opt=noerror,badversion 
do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @40.90.4.7 (ns1-07.azure-dns.com.): dns=ok edns=ok 
edns1=noerror,badversion edns@512=ok ednsopt=echoed edns1opt=noerror,badversion 
do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @2603:1061::7 (ns1-07.azure-dns.com.): dns=ok edns=ok 
edns1=noerror,badversion edns@512=ok ednsopt=echoed edns1opt=noerror,badversion 
do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

Re: Microsoft your DNS servers are broken

Microsoft your DNS servers are broken

2 matches

Site Navigation

Mail list logo

Footer information