[dns-operations] problems resolving microsoft.com
Michael Sinatra
michael at rancid.berkeley.edu
Wed Dec 29 05:36:25 UTC 2010
There's a thread over on bind-users@ that is really not a BIND issue at
all (I have replicated it with unbound). To summarize:
o microsoft.com (and hotmail.com and live.com as you might expect) DNS
is provided by authoritatives ns[1-5].msft.net.
o those servers don't support EDNS.
o those servers appear to block TCP/53. Falling back to TCP results in
timeout. (Blecch.)
o sending an 'ANY' query for microsoft.com to these authoritatives
results in a response that's over 512 bytes, which then falls back to
TCP and hangs.
o sending a TXT query for microsoft.com results in a response that is
494 bytes (due to a large SPF TXT record and a separate TXT record with
some sort of base64 information in it--it doesn't appear to be DKIM).
--> Conclusion: microsoft.com is already unresolvable for anyone (or any
application) that does ANY queries, and it's very close to being
unresolvable for any application/MTA that does TXT queries. hotmail.com
and live.com are in better shape, but they could have problems with the
addition of just a few DNS records.
--> Conclusion: Don't let this be you! Support EDNS! Allow TCP/53 as
the RFCs require!
If there's anyone from MSFT on list, you might want to look into this...
thanks,
michael
More information about the dns-operations
mailing list