> > On May 4, 2016, at 4:19 PM, Franck Martin via mailop <mailop@mailop.org> > wrote: > > I like to use this tool to tell me everything... > > I used it on the first domain, told me there are 2 errors: > http://dnsviz.net/d/alleghenycourts-us.mail.protection.outlook.com/dnssec/
That's just the same "these servers don't support EDNS" thing. > 04-May-2016 09:46:22.236 query-errors: debug 1: client 10.10.10.95#44080 > (alleghenycourts-us.mail.protection.outlook.com): query failed (SERVFAIL) for > alleghenycourts-us.mail.protection.outlook.com/IN/Aat query.c:7004 > 04-May-2016 09:46:22.236 query-errors: debug 2: fetch completed at > resolver.c:3074 for alleghenycourts-us.mail.protection.outlook.com/A in > 0.000122: failure/success > [domain:mail.protection.outlook.com,referral:0,restart:1,qrysent:0,timeout:0,lame:0,neterr:0,badresp:0,adberr:2,findfail:0,valfail:0] adberr only gets set if bind can't find the address of the remote server in the local adb. Given the DNS topology looks OK, and it seems to work for some people, I'd look at the resolver setup ... dodgy firewall, or a miscommunication in what size EDNS packets are acceptable, or something not dealing with fragmented packets, or ...? This knowledgebase article - https://kb.isc.org/article/AA-01219/ - might be useful, as might this thread - https://lists.isc.org/pipermail/bind-users/2011-February/082892.html . (If it were my resolver I'd be dumping packets and seeing what was going on on the wire, if bind's logging can't be turned up that high). Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
