[dns-operations] Microsoft DNS DNSSEC issues

Chad Dailey whammyster at gmail.com
Thu Nov 14 21:10:23 UTC 2024 

 Update:

Some more digging, this appears to be an issue with a border security
appliance that is displeased in some way with the AD bit value in a query,
and some intersection with the response received.  We've opened a ticket
with the vendor, they are researching now.  Still uncertain why this
manifested when it did, as no code or configuration changes occurred within
any of the observed TTL windows for affected domains.  Issues with other
domains resolved automagically when we deactivated this control, and our
recursive servers resumed operating to spec.  Unfortunately I cannot share
additional actionable detail for other operators to analyze.

Thank you again for your time and consideration,
Chad D

On Wed, Nov 13, 2024 at 2:55 AM Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

> On Tue, Nov 12, 2024 at 04:53:06PM -0600, Chad Dailey wrote:
>
> > Thank you for your analysis, much appreciated.  I've got more homework to
> > do, to determine why breakage started, apparently spontaneously.  We
> > performed no service changes during the interval where the problem began
> to
> > manifest.
>
> Please share any findings you'll be at liberty to share, if there's a
> fair chance that others might run into the same problem.  If they're
> more email-specific, than DNS-specific, then on [mailop], otherwise
> perhaps here or both lists as appropriate.
>
> The kind folks at SIDN already reported that there's a DANE-enabled MTA
> that did not implement the robustness advice in RFC7672 and did run into
> issues delivering to outlook.com-hosted domains.  I don't know what MTA
> or outbound service you're using, but if it supports DANE, and does not
> (as suggested in RFC7672) suppress TLSA lookups for MX hosts on insecure
> IPs, then that could be the problem.  But it is still surprising why
> that would suddenly show now, and not at any time in the prior 10+
> years.
>
> --
>     Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20241114/4cc67d9f/attachment.html>

More information about the dns-operations mailing list