nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft your DNS servers are broken

From: Mehmet Akcin <mehmet () akcin net>
Date: Tue, 11 Sep 2018 00:14:25 -0700
I have forwarded this to my contacts at Microsoft.

On Tue, Sep 11, 2018 at 12:06 AM Mark Andrews <marka () isc org> wrote:


While we are talking about DNS server that are broken, Microsoft your
servers are as well.  As none
of the zones you serve are DNSSEC signed there isn’t as much breakage
possible but there are still
interoperability problems and unnecessary additional traffic.  It’s not
like the EDNS specification
is complicated.

The microsoftonline servers will cause DNSSEC validation to fail if they
ever serve a DNSSEC signed
zone in this state.  The FORMERR will cause EDNS servers to fallback to
plain DNS and the validators
won’t get the records they need.

The azure servers cause problems for anyone deploying a new EDNS options
as they have to cope with
your servers incorrectly echoing back the option.  Additionally if EDNS(1)
is ever deployed there is
a good chance that resolvers will assume the broken answers indicate that
there is no data at the
name.

Mark

cityofharrison-mi.gov. @207.46.15.59 (ns1.bdm.microsoftonline.com.):
dns=ok edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed
edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok
optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @2a01:111:f406:1804::59 (
ns1.bdm.microsoftonline.com.): dns=ok edns=ok edns1=ok edns@512=ok
ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok
ednsflags=ok optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @191.232.83.138 (ns3.bdm.microsoftonline.com.):
dns=ok edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed
edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok
optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @2a01:111:f406:b400::22 (
ns3.bdm.microsoftonline.com.): dns=ok edns=ok edns1=ok edns@512=ok
ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok
ednsflags=ok optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @157.56.81.41 (ns2.bdm.microsoftonline.com.):
dns=ok edns=ok edns1=ok edns@512=ok ednsopt=formerr,echoed
edns1opt=formerr,version-not-zero,echoed do=ok ednsflags=ok
optlist=formerr,subnet signed=ok ednstcp=ok
cityofharrison-mi.gov. @2a01:111:f406:3403::41 (
ns2.bdm.microsoftonline.com.): dns=ok edns=ok edns1=ok edns@512=ok
ednsopt=formerr,echoed edns1opt=formerr,version-not-zero,echoed do=ok
ednsflags=ok optlist=formerr,subnet signed=ok ednstcp=ok

clintoncounty-ia.gov. @13.107.24.7 (ns3-07.azure-dns.org.): dns=ok
edns=ok edns1=noerror,badversion edns@512=ok ednsopt=echoed
edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
ednstcp=ok
clintoncounty-ia.gov. @2a01:111:4000::7 (ns3-07.azure-dns.org.): dns=ok
edns=ok edns1=noerror,badversion edns@512=ok ednsopt=echoed
edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
ednstcp=ok
clintoncounty-ia.gov. @13.107.160.7 (ns4-07.azure-dns.info.): dns=ok
edns=ok edns1=noerror,badversion edns@512=ok ednsopt=echoed
edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
ednstcp=ok
clintoncounty-ia.gov. @2620:1ec:bda::7 (ns4-07.azure-dns.info.): dns=ok
edns=ok edns1=noerror,badversion edns@512=ok ednsopt=echoed
edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
ednstcp=ok
clintoncounty-ia.gov. @64.4.48.7 (ns2-07.azure-dns.net.): dns=ok edns=ok
edns1=noerror,badversion edns@512=ok ednsopt=echoed
edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
ednstcp=ok
clintoncounty-ia.gov. @2620:1ec:8ec::7 (ns2-07.azure-dns.net.): dns=ok
edns=ok edns1=noerror,badversion edns@512=ok ednsopt=echoed
edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
ednstcp=ok
clintoncounty-ia.gov. @40.90.4.7 (ns1-07.azure-dns.com.): dns=ok edns=ok
edns1=noerror,badversion edns@512=ok ednsopt=echoed
edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
ednstcp=ok
clintoncounty-ia.gov. @2603:1061::7 (ns1-07.azure-dns.com.): dns=ok
edns=ok edns1=noerror,badversion edns@512=ok ednsopt=echoed
edns1opt=noerror,badversion do=ok ednsflags=ok optlist=ok,subnet signed=ok
ednstcp=ok
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
<https://maps.google.com/?q=1+Seymour+St.,+Dundas+Valley,+NSW+2117,+Australia&entry=gmail&source=g>
PHONE: +61 2 9871 4742              INTERNET: marka () isc org

--

Mehmet
+1-424-298-1903
Previous By Date Next
Previous By Thread Next

Current thread: