Hi Jeff. Thanks for the quick response. I have tested this behavior on our test Windows 2012 Server instance, and just like what you have found, the responses indeed return with a NOERROR instead of a SERVFAIL. On the very same identical stock configuration (except with forwarders set), Windows 2008 R2 fails with a SERVFAIL as described in my email. Seemingly it looks like an oddity with Windows 2008 R2 in terms of how the records are parsed, although I still find it quite odd that BIND9 fiddles around with the ordering of these RRs and get Windows confused in the first place. Perhaps someone who has a Windows 2008 R2 domain can go ahead and confirm this, but so far the only way I can see to mitigate this issue is either:
1. Disable EDNS on Windows 2008 R2 (which essentially disables the ability to accept DNSSEC based responses) or 2. Disable DNSSEC support in BIND9 with dnssec-enable no; (setting dnssec-validation no; has no effect) Anyone here has any thoughts? Thanks! David -- David Lam Security Administrator Information Educational Technology dav...@ucdavis.edu (530) 752-6971 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
