DNSSEC broken for login.microsoftonline.com

• Previous message (by thread): DNSSEC broken for login.microsoftonline.com
• Next message (by thread): DNSSEC broken for login.microsoftonline.com
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Oct 27, 2015, at 3:37 PM, Bruce Curtis <bruce.curtis at ndsu.edu> wrote:
> 
> 
>> On Oct 27, 2015, at 12:35 PM, Tony Finch <dot at dotat.at> wrote:
>> 
>> Bruce Curtis <bruce.curtis at ndsu.edu> wrote:
>>> 
>>> FYI our DNS requests to resolve login.microsoftonline.com are failing
>>> because of a DNSSEC error.
>> 
>> There's no DS record for microsoftonline.com so you shouldn't have any
>> DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't
>> show any problems. The only thing which might cause trouble is the
>> SERVFAIL responses to DNSKEY queries flagged by the Verisign DNSSEC
>> debugger.
> 
> 
>  DNSvis did list 4 errors earlier.  
> 
>  4 recursive DNS servers here still fail to resolve login.microsoftonline.com.
> 
>  I turned DNSSEC validation off on one and it then resolved correctly.
> 
> 	dnssec-validation no;
> 
>  Thanks for the info.  Our customers have reported that it does resolve at the Google public DNS servers also.


  Drill run on one of our name servers shows that the error is

	Existence denied: microsoftonline.com


[ns1 domain]$ drill -k /tmp/rootkey -DT  login.microsoftonline.com
;; Number of trusted keys: 2
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id = 62530 (zsk), size = 1024b}
. 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: .	172800	IN	DNSKEY	256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b}
	Trusted key: .	143619	IN	DNSKEY	256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b}
Key is now trusted!
	Trusted key: .	143619	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
	Trusted key: .	172800	IN	DNSKEY	256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b}
Key is now trusted!
	Trusted key: .	172800	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
[T] com. 86400 IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766 
;; Domain: com.
[T] com. 86400 IN DNSKEY 256 3 8 ;{id = 51797 (zsk), size = 1024b}
com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b}
[T] Existence denied: microsoftonline.com. DS
;; No ds record for delegation
;; Domain: microsoftonline.com.
;; No DNSKEY record found for microsoftonline.com.
;; No DS for login.microsoftonline.com.;; No ds record for delegation
;; Domain: login.microsoftonline.com.
;; No DNSKEY record found for login.microsoftonline.com.
[U] No data found for: login.microsoftonline.com. type A
;;[S] self sig OK; [B] bogus; [T] trusted


> 
>> http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com
>>> 
>>> http://dnsviz.net/d/login.microsoftonline.com/dnssec/
>> 
>> Tony.
>> -- 
>> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
>> Fitzroy, Sole: Cyclonic, mainly southwesterly, 5 to 7, occasionally gale 8 in
>> west Fitzroy. Very rough or high, becoming rough in Sole. Rain or thundery
>> showers. Moderate or poor, occasionally good.
> 
> ---
> Bruce Curtis                         bruce.curtis at ndsu.edu
> Certified NetAnalyst II                701-231-8527
> North Dakota State University        
> 

---
Bruce Curtis                         bruce.curtis at ndsu.edu
Certified NetAnalyst II                701-231-8527
North Dakota State University        

• Previous message (by thread): DNSSEC broken for login.microsoftonline.com
• Next message (by thread): DNSSEC broken for login.microsoftonline.com
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]