[dns-operations] Cannot send mail to outlook.com due to olc.protection.outlook.com configuration issues

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Oct 7 17:38:10 UTC 2023 

On Sat, Oct 07, 2023 at 09:12:31AM -0700, jack tavares wrote:

> Interesting, it works fine with dig, but I get the same error the
> author does when I use "host"
> 
> I used to know the significant differences between "host" and "dig" but I
> have
> not used "host" in so long, I have forgotten them.

The "host" command, performs three lookups:

    - hostname IN A ?
    - hostname IN AAAA ?
    - hostname IN MX ?

In the case of "outlook-com.olc.protection.outlook.com", the "AAAA"
query elicits an uncacheable "empty" NODATA response from the
authoritative server, with just the EDNS(0) OPT record, and no SOA.

    $ dig +nocmd +norecur -t aaaa outlook-com.olc.protection.outlook.com @ns1-gtm.glbdns.o365filtering.com.
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38963
    ;; flags: qr aa ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;outlook-com.olc.protection.outlook.com.        IN AAAA

    ;; Query time: 54 msec
    ;; SERVER: 104.47.44.8#53(ns1-gtm.glbdns.o365filtering.com.) (UDP)
    ;; WHEN: Sat Oct 07 13:18:02 EDT 2023
    ;; MSG SIZE  rcvd: 67

In contrast, the "MX" query response is more "normal".

    $ dig +nocmd +norecur -t mx outlook-com.olc.protection.outlook.com @ns1-gtm.glbdns.o365filtering.com.
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39567
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;outlook-com.olc.protection.outlook.com.        IN MX

    ;; AUTHORITY SECTION:
    olc.protection.outlook.com. 300 IN      SOA     bn1ffonetglb003.protection.outlook.com. hostmaster.bn1ffonetglb003.protection.outlook.com. 2023060907 10800 3600 604800 300

    ;; Query time: 58 msec
    ;; SERVER: 104.47.44.8#53(ns1-gtm.glbdns.o365filtering.com.) (UDP)
    ;; WHEN: Sat Oct 07 13:21:52 EDT 2023
    ;; MSG SIZE  rcvd: 130

When I pose the "AAAA" and "MX" questions to "unbound", the results are:

 1. $ dig +nocmd -t aaaa outlook-com.olc.protection.outlook.com @127.0.0.1
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7009
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1400
    ;; QUESTION SECTION:
    ;outlook-com.olc.protection.outlook.com.        IN AAAA

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
    ;; WHEN: Sat Oct 07 13:24:26 EDT 2023
    ;; MSG SIZE  rcvd: 67

 2. $ dig +nocmd -t mx outlook-com.olc.protection.outlook.com @127.0.0.1
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13868
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1400
    ;; QUESTION SECTION:
    ;outlook-com.olc.protection.outlook.com.        IN MX

    ;; AUTHORITY SECTION:
    olc.protection.outlook.com. 300 IN      SOA     bn1ffonetglb003.protection.outlook.com. hostmaster.bn1ffonetglb003.protection.outlook.com. 2023060907 10800 3600 604800 300

    ;; Query time: 90 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
    ;; WHEN: Sat Oct 07 13:23:07 EDT 2023
    ;; MSG SIZE  rcvd: 130

So, it looks like "unbound" is not fond of empty NODATA replies with no
SOA.  It is I think reasonable to ask Microsoft to address the "no SOA"
NODATA response.

Meanwhile, the OP can configure "outlook.com" for IPv4-only delivery as
a work-around, if his MTA[1] is unable/unwilling to use the IPv4 addresses
when IPv6 address lookups tempfail.

-- 
    Viktor.

[1] Or consider switching to Postfix, which is able to tolerate failure
to resolve one of the candidate address families, so long as the other
resolves:

    $ posttls-finger -c -l verify -F /etc/ssl/cert.pem outlook.com
    posttls-finger: outlook-com.olc.protection.outlook.com[52.101.73.7]:25: matched peername: *.olc.protection.outlook.com
    posttls-finger: outlook-com.olc.protection.outlook.com[52.101.73.7]:25: subject_CN=mail.protection.outlook.com, issuer=DigiCert Cloud Services CA-1, cert fingerprint=E3:67:91:83:13:1F:AB:10:42:E7:93:D3:33:8A:6A:BC:87:7C:43:44:23:17:AE:5E:75:0F:7E:A3:41:66:40:65, pkey fingerprint=7B:8F:75:94:E0:08:F8:6E:32:5A:CE:17:27:09:B7:D2:23:08:20:42:1D:C1:DD:0A:B5:AF:F5:41:65:A3:ED:EB
    posttls-finger: Verified TLS connection established to outlook-com.olc.protection.outlook.com[52.101.73.7]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

[ Of course with the matched hostname derived from an unsigned MX
  lookup, the security value of the certificate match is fairly modest.
  DANE is coming to Microsoft in 2024, and at least one (canary?) domain
  is already live.  Perhaps "outlook.com" will have working inbound
  DANE some time next year. ]

More information about the dns-operations mailing list