[dns-operations] Cannot send mail to outlook.com due to olc.protection.outlook.com configuration issues

Sat Oct 7 06:20:16 UTC 2023

On Fri, Oct 06, 2023 at 01:36:26PM -0700, Craig Leres wrote:

> > So long as you don't try to look up TLSA records, or insist on using
> > EDNS(0), even after a FORMERR response, you should be fine.
> 
> I've had edns0 in resolv.conf for a really long time but even if I comment
> that out I'm still unable to deliver mail. Also I get SERVFAIL or a timeout
> if I lookup outlook-com.olc.protection.outlook.com.

It is your resolv.conf's EDNS(0) setting that matters.  That's just
between your stub resolver library and your local "unbound" resolver.
What would matter is whether your **unbound** resolver is willing to
fall back from EDNS(0) to legacy DNS.

However, I was thinking of the "mail.protection.outlook.com" zone,
handling customer domains.  The nameservers handling Microsoft's
own "outlook.com" domain seem to handle EDNS(0) just fine:

  - protection.outlook.com. IN NS ns1-gtm.glbdns.o365filtering.com.
    protection.outlook.com. IN NS ns2-gtm.glbdns.o365filtering.com.

  $ dig @ns2-gtm.glbdns.o365filtering.com -t a +ignore +norecur +nocmd +bufsize=1400 outlook-com.olc.protection.outlook.com.

    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16548
    ;; flags: qr aa ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;outlook-com.olc.protection.outlook.com.	IN A

    ;; ANSWER SECTION:
    outlook-com.olc.protection.outlook.com.	30 IN A	104.47.11.225
    outlook-com.olc.protection.outlook.com.	30 IN A	104.47.11.97

    ;; Query time: 76 msec
    ;; SERVER: 104.47.40.8#53(ns2-gtm.glbdns.o365filtering.com) (UDP)
    ;; WHEN: Sat Oct 07 02:04:43 EDT 2023
    ;; MSG SIZE  rcvd: 99

In contrast with, e.g., the nameservers for the "nist.gov" MX host:

  - mail.protection.outlook.com. IN NS ns1-proddns.glbdns.o365filtering.com.
    mail.protection.outlook.com. IN NS ns2-proddns.glbdns.o365filtering.com.

  $ dig @ns2-proddns.glbdns.o365filtering.com. -t a +ignore +norecur +nocmd +bufsize=1400 nist-gov.mail.protection.outlook.com.

    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20587
    ;; flags: qr; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; WARNING: EDNS query returned status FORMERR - retry with '+noedns'

    ;; Query time: 51 msec
    ;; SERVER: 104.47.68.17#53(ns2-proddns.glbdns.o365filtering.com.) (UDP)
    ;; WHEN: Sat Oct 07 02:09:06 EDT 2023
    ;; MSG SIZE  rcvd: 12

So whatever the problem is, it is perhaps not EDNS(0).  And specific to
your network.  DNSViz also gets adequate results:

    https://dnsviz.net/d/outlook-com.olc.protection.outlook.com/ZSCCwA/dnssec/

-- 
    Viktor.