outlook.com isn’t signed, so I doubt it is a DNSSEC error (though they
look the same). BIND should see that it isn’t signed and just roll
with it. Could be that a server in the chain isn’t responding
(whatever serves the mail.protection.outlook.com zone).
We use Office365 too, and have heard the same problem from people trying
to send us mail, only they have been seeing NXDOMAIN errors for names in
protection.outlook.com, not SERVFAIL. That was a few months ago and
haven’t seen the problem again.
Scott
On 28 Apr 2016, at 14:18, Rob Heilman wrote:
We are seeing intermittent but frequent SERVFAIL errors for Microsoft
owned hostnames in MX records. Specifically with
*.mail.protection.outlook.com hostnames. In the BIND logs we see
something like this:
28-Apr-2016 13:35:01.139 query-errors: debug 1: client
10.10.10.96#48950 (pitt-edu.mail.protection.outlook.com): query failed
(SERVFAIL) for pitt-edu.mail.protection.outlook.com/IN/A at
query.c:7004
That appears to be a fairly generic error in query.c:
/*
* Something has gone wrong.
*/
QUERY_ERROR(DNS_R_SERVFAIL);
goto cleanup;
Is anyone else seeing this? I suspect it has something to do with
DNSSEC or possibly AAAA records, but haven’t proved it yet. Any
help would be greatly appreciated.
Thanks,
Rob Heilman
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
==================================
Scott Rose, NIST
sco...@nist.gov
ph: +1-301-975-8439
Google Voice: +1-571-249-3671
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
