On Wed, 2022-07-06 at 11:49 +0200, Stephane Bortzmeyer wrote: > On Wed, Jul 06, 2022 at 11:37:40AM +0200, > Bjoern Franke via NANOG <nanog@nanog.org> wrote > a message of 10 lines which said: > > > <tenant>.mail.protection.outlook.com seems to throw servfails. > > The authoritative name servers for this domain do not handle EDNS > (which was specified only 23 years ago) so the resolvers that do not > fallback on EDNS (probably the majority) return a SERVFAIL.
While it is true that their auths do not handle EDNS, they cover that by responding with FORMERR without an EDNS section. All resolvers should in fact fall back. >From what I can tell, the real problem is that these servers barely respond at all - so little that it's easy to conclude that EDNS is the reason, but without EDNS responses are just as sporadic. So, in short, they have a DNS responding problem; their bad handling of EDNS makes that worse, because now a resolver needs to get two queries (one with EDNS, then one without) through to them before resolving something - and then it is rewarded with a 10 second TTL! Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
