[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Microsoft your DNS servers are broken

Subject: Microsoft your DNS servers are broken
From: marka at isc.org (Mark Andrews)
Date: Tue, 11 Sep 2018 17:05:33 +1000

While we are talking about DNS server that are broken, Microsoft your servers are as well.  As none
of the zones you serve are DNSSEC signed there isnâ??t as much breakage possible but there are still
interoperability problems and unnecessary additional traffic.  Itâ??s not like the EDNS specification
is complicated.

The microsoftonline servers will cause DNSSEC validation to fail if they ever serve a DNSSEC signed
zone in this state.  The FORMERR will cause EDNS servers to fallback to plain DNS and the validators
wonâ??t get the records they need.

The azure servers cause problems for anyone deploying a new EDNS options as they have to cope with
your servers incorrectly echoing back the option.  Additionally if EDNS(1) is ever deployed there is
a good chance that resolvers will assume the broken answers indicate that there is no data at the
name.

Mark

cityofharrison-mi.gov. @207.46.15.59 (ns1.bdm.microsoftonline.com.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @2a01:111:f406:1804::59 (ns1.bdm.microsoftonline.com.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @191.232.83.138 (ns3.bdm.microsoftonline.com.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @2a01:111:f406:b400::22 (ns3.bdm.microsoftonline.com.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @157.56.81.41 (ns2.bdm.microsoftonline.com.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @2a01:111:f406:3403::41 (ns2.bdm.microsoftonline.com.): dns=ok edns=ok edns1=ok edns at 512=ok ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok optlist=formerr,subnet signed=ok ednstcp=ok

clintoncounty-ia.gov. @13.107.24.7 (ns3-07.azure-dns.org.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @2a01:111:4000::7 (ns3-07.azure-dns.org.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @13.107.160.7 (ns4-07.azure-dns.info.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @2620:1ec:bda::7 (ns4-07.azure-dns.info.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @64.4.48.7 (ns2-07.azure-dns.net.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @2620:1ec:8ec::7 (ns2-07.azure-dns.net.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @40.90.4.7 (ns1-07.azure-dns.com.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
clintoncounty-ia.gov. @2603:1061::7 (ns1-07.azure-dns.com.): dns=ok edns=ok edns1=noerror,badversion edns at 512=ok ednsopt=echoed edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok ednstcp=ok
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

Follow-Ups:
- Microsoft your DNS servers are broken
  - From: mehmet at akcin.net (Mehmet Akcin)

Prev by Date: QWEST you have broken DNS servers
Next by Date: Microsoft your DNS servers are broken
Previous by thread: QWEST you have broken DNS servers
Next by thread: Microsoft your DNS servers are broken
Index(es):
- Date
- Thread