[dns-operations] mail.protection.outlook.com FORMERR responses when querying with EDNS

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Oct 6 13:51:49 UTC 2021


On Wed, Oct 06, 2021 at 10:44:46AM +0000, Martin George wrote:

> I was wondering if anyone else has noticed this behaviour previously,

See:

   <https://datatracker.ietf.org/doc/html/rfc7672#section-2.2.2>

   Note that DNS queries with type TLSA are mishandled by load-balancing
   nameservers that serve the MX hostnames of some large email
   providers.  The DNS zones served by these nameservers are not signed
   and contain no TLSA records.  These nameservers SHOULD provide
   "insecure" negative replies that indicate the nonexistence of the
   TLSA records, but instead they fail by not responding at all or by
   responding with a DNS RCODE [RFC1035] other than NXDOMAIN, e.g.,
   SERVFAIL or NOTIMP [RFC2136].

That text was composed in 2013, and is specifically, thought not
explicitly, about Microsoft's mail.protection.outlook.com.  Not only do
the nameservers not support EDNS, they also mishandle queries for
unusual RRtypes, by incorrectly returning NOTIMP, rather than SERVFAIL.

> and could provide any reasoning behind it? Is anyone else seeing
> failures with queries for mail.protection.outlook.com and any child
> zones of the aforementioned?

This behaviour is at least 8.5 years old.  The reason is that they're
getting away with it.  Most resolvers handle this by retrying without
EDNS after FORMERR.  If a resolver stops supporting non-EDNS servers,
it becomes unable to resolve names under mail.protection.outlook.com.

-- 
    VIktor.


More information about the dns-operations mailing list