[185561] in North American Network Operators' Group
Re: DNSSEC broken for login.microsoftonline.com
daemon@ATHENA.MIT.EDU (Bruce Curtis)
Tue Oct 27 16:37:11 2015
X-Original-To: nanog@nanog.org
From: Bruce Curtis <bruce.curtis@ndsu.edu>
To: Tony Finch <dot@dotat.at>
Date: Tue, 27 Oct 2015 20:37:07 +0000
In-Reply-To: <alpine.LSU.2.00.1510271732560.25050@hermes-2.csi.cam.ac.uk>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Oct 27, 2015, at 12:35 PM, Tony Finch <dot@dotat.at> wrote:
>=20
> Bruce Curtis <bruce.curtis@ndsu.edu> wrote:
>>=20
>> FYI our DNS requests to resolve login.microsoftonline.com are failing
>> because of a DNSSEC error.
>=20
> There's no DS record for microsoftonline.com so you shouldn't have any
> DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't
> show any problems. The only thing which might cause trouble is the
> SERVFAIL responses to DNSKEY queries flagged by the Verisign DNSSEC
> debugger.
DNSvis did list 4 errors earlier. =20
4 recursive DNS servers here still fail to resolve login.microsoftonline.=
com.
I turned DNSSEC validation off on one and it then resolved correctly.
dnssec-validation no;
Thanks for the info. Our customers have reported that it does resolve at=
the Google public DNS servers also.
> http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com
>>=20
>> http://dnsviz.net/d/login.microsoftonline.com/dnssec/
>=20
> Tony.
> --=20
> f.anthony.n.finch <dot@dotat.at> http://dotat.at/
> Fitzroy, Sole: Cyclonic, mainly southwesterly, 5 to 7, occasionally gale =
8 in
> west Fitzroy. Very rough or high, becoming rough in Sole. Rain or thunder=
y
> showers. Moderate or poor, occasionally good.
---
Bruce Curtis bruce.curtis@ndsu.edu
Certified NetAnalyst II 701-231-8527
North Dakota State University =20
