[dns-operations] mail.protection.outlook.com FORMERR responses when querying with EDNS
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Oct 6 13:51:49 UTC 2021
On Wed, Oct 06, 2021 at 10:44:46AM +0000, Martin George wrote:
> I was wondering if anyone else has noticed this behaviour previously,
See:
<https://datatracker.ietf.org/doc/html/rfc7672#section-2.2.2>
Note that DNS queries with type TLSA are mishandled by load-balancing
nameservers that serve the MX hostnames of some large email
providers. The DNS zones served by these nameservers are not signed
and contain no TLSA records. These nameservers SHOULD provide
"insecure" negative replies that indicate the nonexistence of the
TLSA records, but instead they fail by not responding at all or by
responding with a DNS RCODE [RFC1035] other than NXDOMAIN, e.g.,
SERVFAIL or NOTIMP [RFC2136].
That text was composed in 2013, and is specifically, thought not
explicitly, about Microsoft's mail.protection.outlook.com. Not only do
the nameservers not support EDNS, they also mishandle queries for
unusual RRtypes, by incorrectly returning NOTIMP, rather than SERVFAIL.
> and could provide any reasoning behind it? Is anyone else seeing
> failures with queries for mail.protection.outlook.com and any child
> zones of the aforementioned?
This behaviour is at least 8.5 years old. The reason is that they're
getting away with it. Most resolvers handle this by retrying without
EDNS after FORMERR. If a resolver stops supporting non-EDNS servers,
it becomes unable to resolve names under mail.protection.outlook.com.
--
VIktor.
More information about the dns-operations
mailing list