I upgraded my PowerDNS servers yesterday to the latest alpha to fix an
issue with memory, the upgrade has fixed that. It looks like after
upgrading from alpha2 to 0.0.910ge143fd4-1pdns.jessie I can no longer
resolve subdomains on protection.outlook.com. As an example:
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @10.254.1.10 a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26622
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;swivelpole-com.mail.protection.outlook.com. IN A
Short of going back to the other version with memory issues, is there
any config I can add/change that will possibly help with resolving these
names? I can't reproduce this on my other DNS servers that are running
Unbound or on the older PowerDNS recursor instances.
If its helpful, I have put a sample of the trace output here:
> Short of going back to the other version with memory issues, is there
> any config I can add/change that will possibly help with resolving these
> names? I can't reproduce this on my other DNS servers that are running
> Unbound or on the older PowerDNS recursor instances.
It looks like there is a bug in the DNSSEC implementation. I can resolve this name on the current master branch with the `dnssec=off` setting.
We'll have a look at what goes wrong here. For now, disabeling DNSSEC will help.