[dns-operations] problems resolving microsoft.com

Michael Sinatra michael at rancid.berkeley.edu
Wed Dec 29 05:36:25 UTC 2010

There's a thread over on bind-users@ that is really not a BIND issue at 
all (I have replicated it with unbound).  To summarize:

o microsoft.com (and hotmail.com and live.com as you might expect) DNS 
is provided by authoritatives ns[1-5].msft.net.

o those servers don't support EDNS.

o those servers appear to block TCP/53.  Falling back to TCP results in 
timeout.  (Blecch.)

o sending an 'ANY' query for microsoft.com to these authoritatives 
results in a response that's over 512 bytes, which then falls back to 
TCP and hangs.

o sending a TXT query for microsoft.com results in a response that is 
494 bytes (due to a large SPF TXT record and a separate TXT record with 
some sort of base64 information in it--it doesn't appear to be DKIM).

--> Conclusion: microsoft.com is already unresolvable for anyone (or any 
application) that does ANY queries, and it's very close to being 
unresolvable for any application/MTA that does TXT queries.  hotmail.com 
and live.com are in better shape, but they could have problems with the 
addition of just a few DNS records.

--> Conclusion: Don't let this be you!  Support EDNS!  Allow TCP/53 as 
the RFCs require!

If there's anyone from MSFT on list, you might want to look into this...


More information about the dns-operations mailing list