ns1-proddns.glbdns.o365filtering.com unreachable?

Peter van Dijk peter.van.dijk at powerdns.com
Wed Jul 6 10:15:31 UTC 2022

On Wed, 2022-07-06 at 11:49 +0200, Stephane Bortzmeyer wrote:
> On Wed, Jul 06, 2022 at 11:37:40AM +0200,
>  Bjoern Franke via NANOG <nanog at nanog.org> wrote 
>  a message of 10 lines which said:
> > <tenant>.mail.protection.outlook.com seems to throw servfails.
> The authoritative name servers for this domain do not handle EDNS
> (which was specified only 23 years ago) so the resolvers that do not
> fallback on EDNS (probably the majority) return a SERVFAIL.

While it is true that their auths do not handle EDNS, they cover that
by responding with FORMERR without an EDNS section. All resolvers
should in fact fall back.

>From what I can tell, the real problem is that these servers barely
respond at all - so little that it's easy to conclude that EDNS is the
reason, but without EDNS responses are just as sporadic.

So, in short, they have a DNS responding problem; their bad handling of
EDNS makes that worse, because now a resolver needs to get two queries
(one with EDNS, then one without) through to them before resolving
something - and then it is rewarded with a 10 second TTL!

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the NANOG mailing list