pdns_recursor - SERVFAIL resolving protection.outlook.com domains

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

pdns_recursor - SERVFAIL resolving protection.outlook.com domains

shthead
Hi,

I upgraded my PowerDNS servers yesterday to the latest alpha to fix an
issue with memory, the upgrade has fixed that. It looks like after
upgrading from alpha2 to 0.0.910ge143fd4-1pdns.jessie I can no longer
resolve subdomains on protection.outlook.com. As an example:

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @10.254.1.10 a
swivelpole-com.mail.protection.outlook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26622
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;swivelpole-com.mail.protection.outlook.com. IN A

;; Query time: 1080 msec
;; SERVER: 10.254.1.10#53(10.254.1.10)
;; WHEN: Tue May 10 10:00:27 AWST 2016
;; MSG SIZE  rcvd: 71

This problem has seemed to pop up recently for other people too, see the
bind-users and mailop mailing list:

https://lists.isc.org/pipermail/bind-users/2016-May/096800.html
https://www.mail-archive.com/mailop@.../msg01648.html

Short of going back to the other version with memory issues, is there
any config I can add/change that will possibly help with resolving these
names? I can't reproduce this on my other DNS servers that are running
Unbound or on the older PowerDNS recursor instances.

If its helpful, I have put a sample of the trace output here:

http://pastebin.com/raw/meBVe2xK

Thanks
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: pdns_recursor - SERVFAIL resolving protection.outlook.com domains

Pieter Lexis-2
Hi Chris,

On Tue, 10 May 2016 10:08:08 +0800
Chris <[hidden email]> wrote:

> Short of going back to the other version with memory issues, is there
> any config I can add/change that will possibly help with resolving these
> names? I can't reproduce this on my other DNS servers that are running
> Unbound or on the older PowerDNS recursor instances.

It looks like there is a bug in the DNSSEC implementation. I can resolve this name on the current master branch with the `dnssec=off` setting.

We'll have a look at what goes wrong here. For now, disabeling DNSSEC will help.

Best regards,

Pieter

--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: pdns_recursor - SERVFAIL resolving protection.outlook.com domains

shthead
Hi,

I can confirm this work around works:

> It looks like there is a bug in the DNSSEC implementation. I can resolve this name on the current master branch with the `dnssec=off` setting.

If it helps, I also came across the same issue when resolving names on
secureserver.net - specifically smtp.secureserver.net.

Thanks
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users