[185565] in North American Network Operators' Group
Re: DNSSEC broken for login.microsoftonline.com
daemon@ATHENA.MIT.EDU (Bruce Curtis)
Tue Oct 27 17:59:27 2015
X-Original-To: nanog@nanog.org
From: Bruce Curtis <bruce.curtis@ndsu.edu>
To: North American Network Operators' Group <nanog@nanog.org>
Date: Tue, 27 Oct 2015 21:59:21 +0000
In-Reply-To: <BFAA673C-2028-4BC2-A5D1-9B9FAFE41F15@ndsu.edu>
Errors-To: nanog-bounces@nanog.org
> On Oct 27, 2015, at 3:37 PM, Bruce Curtis <bruce.curtis@ndsu.edu> wrote:
>=20
>=20
>> On Oct 27, 2015, at 12:35 PM, Tony Finch <dot@dotat.at> wrote:
>>=20
>> Bruce Curtis <bruce.curtis@ndsu.edu> wrote:
>>>=20
>>> FYI our DNS requests to resolve login.microsoftonline.com are failing
>>> because of a DNSSEC error.
>>=20
>> There's no DS record for microsoftonline.com so you shouldn't have any
>> DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't
>> show any problems. The only thing which might cause trouble is the
>> SERVFAIL responses to DNSKEY queries flagged by the Verisign DNSSEC
>> debugger.
>=20
>=20
> DNSvis did list 4 errors earlier. =20
>=20
> 4 recursive DNS servers here still fail to resolve login.microsoftonline=
.com.
>=20
> I turned DNSSEC validation off on one and it then resolved correctly.
>=20
> dnssec-validation no;
>=20
> Thanks for the info. Our customers have reported that it does resolve a=
t the Google public DNS servers also.
Drill run on one of our name servers shows that the error is
Existence denied: microsoftonline.com
[ns1 domain]$ drill -k /tmp/rootkey -DT login.microsoftonline.com
;; Number of trusted keys: 2
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id =3D 62530 (zsk), size =3D 1024b}
. 172800 IN DNSKEY 257 3 8 ;{id =3D 19036 (ksk), size =3D 2048b}
Checking if signing key is trusted:
New key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJ=
UxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcg=
ooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =3D 625=
30 (zsk), size =3D 1024b}
Trusted key: . 143619 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXT=
cskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMS=
qgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =
=3D 62530 (zsk), size =3D 1024b}
Key is now trusted!
Trusted key: . 143619 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29eu=
xhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRk=
xoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvP=
VjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0s=
GIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnu=
lqQxA+Uk1ihz0=3D ;{id =3D 19036 (ksk), size =3D 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXT=
cskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMS=
qgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =
=3D 62530 (zsk), size =3D 1024b}
Key is now trusted!
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29eu=
xhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRk=
xoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvP=
VjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0s=
GIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnu=
lqQxA+Uk1ihz0=3D ;{id =3D 19036 (ksk), size =3D 2048b}
[T] com. 86400 IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459=
588f4a9184cfc41a5766=20
;; Domain: com.
[T] com. 86400 IN DNSKEY 256 3 8 ;{id =3D 51797 (zsk), size =3D 1024b}
com. 86400 IN DNSKEY 257 3 8 ;{id =3D 30909 (ksk), size =3D 2048b}
[T] Existence denied: microsoftonline.com. DS
;; No ds record for delegation
;; Domain: microsoftonline.com.
;; No DNSKEY record found for microsoftonline.com.
;; No DS for login.microsoftonline.com.;; No ds record for delegation
;; Domain: login.microsoftonline.com.
;; No DNSKEY record found for login.microsoftonline.com.
[U] No data found for: login.microsoftonline.com. type A
;;[S] self sig OK; [B] bogus; [T] trusted
>=20
>> http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com
>>>=20
>>> http://dnsviz.net/d/login.microsoftonline.com/dnssec/
>>=20
>> Tony.
>> --=20
>> f.anthony.n.finch <dot@dotat.at> http://dotat.at/
>> Fitzroy, Sole: Cyclonic, mainly southwesterly, 5 to 7, occasionally gale=
8 in
>> west Fitzroy. Very rough or high, becoming rough in Sole. Rain or thunde=
ry
>> showers. Moderate or poor, occasionally good.
>=20
> ---
> Bruce Curtis bruce.curtis@ndsu.edu
> Certified NetAnalyst II 701-231-8527
> North Dakota State University =20
>=20
---
Bruce Curtis bruce.curtis@ndsu.edu
Certified NetAnalyst II 701-231-8527
North Dakota State University =20
