[dns-operations] Microsoft DNS DNSSEC issues
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Nov 13 08:53:09 UTC 2024
On Tue, Nov 12, 2024 at 04:53:06PM -0600, Chad Dailey wrote:
> Thank you for your analysis, much appreciated. I've got more homework to
> do, to determine why breakage started, apparently spontaneously. We
> performed no service changes during the interval where the problem began to
> manifest.
Please share any findings you'll be at liberty to share, if there's a
fair chance that others might run into the same problem. If they're
more email-specific, than DNS-specific, then on [mailop], otherwise
perhaps here or both lists as appropriate.
The kind folks at SIDN already reported that there's a DANE-enabled MTA
that did not implement the robustness advice in RFC7672 and did run into
issues delivering to outlook.com-hosted domains. I don't know what MTA
or outbound service you're using, but if it supports DANE, and does not
(as suggested in RFC7672) suppress TLSA lookups for MX hosts on insecure
IPs, then that could be the problem. But it is still surprising why
that would suddenly show now, and not at any time in the prior 10+
years.
--
Viktor.
More information about the dns-operations
mailing list