DNSSEC broken for login.microsoftonline.com

Bruce Curtis bruce.curtis at ndsu.edu
Tue Oct 27 20:37:07 UTC 2015

> On Oct 27, 2015, at 12:35 PM, Tony Finch <dot at dotat.at> wrote:
> Bruce Curtis <bruce.curtis at ndsu.edu> wrote:
>> FYI our DNS requests to resolve login.microsoftonline.com are failing
>> because of a DNSSEC error.
> There's no DS record for microsoftonline.com so you shouldn't have any
> DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't
> show any problems. The only thing which might cause trouble is the
> SERVFAIL responses to DNSKEY queries flagged by the Verisign DNSSEC
> debugger.

  DNSvis did list 4 errors earlier.  

  4 recursive DNS servers here still fail to resolve login.microsoftonline.com.

  I turned DNSSEC validation off on one and it then resolved correctly.

	dnssec-validation no;

  Thanks for the info.  Our customers have reported that it does resolve at the Google public DNS servers also.

> http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com
>> http://dnsviz.net/d/login.microsoftonline.com/dnssec/
> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> Fitzroy, Sole: Cyclonic, mainly southwesterly, 5 to 7, occasionally gale 8 in
> west Fitzroy. Very rough or high, becoming rough in Sole. Rain or thundery
> showers. Moderate or poor, occasionally good.

Bruce Curtis                         bruce.curtis at ndsu.edu
Certified NetAnalyst II                701-231-8527
North Dakota State University        

More information about the NANOG mailing list