> Looking at this further, it appears when EDNS is turned on in the Windows > 2008 R2 DNS server (default, accepting DNSSEC responses), resolution fails > occasionally with a SERVFAIL when NODATA is returned to BIND (i.e. 0 answers > with a status code of NOERROR.)
I'm using Windows Server 2012 DNS with BIND 9.9.3 forwarders, and can't reproduce the issue. I tested "dig mx2.comcast.com srv +dnssec" and "dig bat.comcast.com srv +dnssec" against a Windows domain controller (simon) and its BIND 9.9.3 forwarder (nr1). All four queries, shown below, returned NOERROR. Perhaps this will provide you a useful basis for comparison in any event. Jeffry A. Spain Network Administrator Cincinnati Country Day School -------------------- Windows PowerShell Copyright (C) 2012 Microsoft Corporation. All rights reserved. PS C:\> dig '@simon' mx2.comcast.com srv +dnssec ; <<>> DiG 9.9.3 <<>> @simon mx2.comcast.com srv +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1927 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ;; QUESTION SECTION: ;mx2.comcast.com. IN SRV ;; AUTHORITY SECTION: comcast.com. 899 IN SOA dns101.comcast.net. domregtech.comcastonline.com. 2009085823 7200 3600 1 209600 3600 comcast.com. 899 IN RRSIG SOA 5 2 3600 20130711200520 20130704170020 2643 comcast.com. Te6jKcUXakW pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6 zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s= mx2.comcast.com. 899 IN NSEC mx3.comcast.com. A RRSIG NSEC ;; Query time: 31 msec ;; SERVER: 2001:4870:20ca:158:2c59:7bdf:ab15:4270#53(2001:4870:20ca:158:2c59:7bdf:ab15:4270) ;; WHEN: Sat Jul 06 21:12:35 Eastern Daylight Time 2013 ;; MSG SIZE rcvd: 331 PS C:\> dig '@nr1' mx2.comcast.com srv +dnssec ; <<>> DiG 9.9.3 <<>> @nr1 mx2.comcast.com srv +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38367 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;mx2.comcast.com. IN SRV ;; AUTHORITY SECTION: mx2.comcast.com. 2173 IN RRSIG NSEC 5 3 3600 20130711200520 20130704170020 2643 comcast.com. pmOHJX7dSN uFSRiFvxNIIuhQk/Sh6/9xSiZ2wj2I6RDKkrQlDScdFjDB nSpeWt9068Wq+aQE36dbTsvyyCKgtrPcJIUxKVCtsXzTavXdx9XVGwG9 cKF6TrQx+MGPRwRw jPorDmPJxImveGMeE7X4Nl1mkGk/lRJwbvk1yFWV w1w= mx2.comcast.com. 2173 IN NSEC mx3.comcast.com. A RRSIG NSEC comcast.com. 2173 IN SOA dns101.comcast.net. domregtech.comcastonline.com. 2009085823 7200 3600 1 209600 3600 comcast.com. 2173 IN RRSIG SOA 5 2 3600 20130711200520 20130704170020 2643 comcast.com. Te6jKcUXakW pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6 zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s= ;; Query time: 46 msec ;; SERVER: 2001:4870:20ca:158:8c2f:b9ff:31f7:3836#53(2001:4870:20ca:158:8c2f:b9ff:31f7:3836) ;; WHEN: Sat Jul 06 21:12:46 Eastern Daylight Time 2013 ;; MSG SIZE rcvd: 502 PS C:\> dig '@simon' bat.comcast.com srv +dnssec ; <<>> DiG 9.9.3 <<>> @simon bat.comcast.com srv +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26028 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ;; QUESTION SECTION: ;bat.comcast.com. IN SRV ;; AUTHORITY SECTION: comcast.com. 900 IN SOA dns101.comcast.net. domregtech.comcastonline.com. 2009085823 7200 3600 1 209600 3600 comcast.com. 900 IN RRSIG SOA 5 2 3600 20130711200520 20130704170020 2643 comcast.com. Te6jKcUXakW pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6 zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s= awrelaypool02.comcast.com. 900 IN NSEC www.bat.comcast.com. A RRSIG NSEC ;; Query time: 62 msec ;; SERVER: 2001:4870:20ca:158:2c59:7bdf:ab15:4270#53(2001:4870:20ca:158:2c59:7bdf:ab15:4270) ;; WHEN: Sat Jul 06 21:13:18 Eastern Daylight Time 2013 ;; MSG SIZE rcvd: 349 PS C:\> dig '@nr1' bat.comcast.com srv +dnssec ; <<>> DiG 9.9.3 <<>> @nr1 bat.comcast.com srv +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60015 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;bat.comcast.com. IN SRV ;; AUTHORITY SECTION: comcast.com. 3583 IN SOA dns101.comcast.net. domregtech.comcastonline.com. 2009085823 7200 3600 1 209600 3600 comcast.com. 3583 IN RRSIG SOA 5 2 3600 20130711200520 20130704170020 2643 comcast.com. Te6jKcUXakW pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6 zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s= awrelaypool02.comcast.com. 3583 IN RRSIG NSEC 5 3 3600 20130711200520 20130704170020 2643 comcast.com. U87nbvAj7j 7pAk4kigqMyVy8XDeHqRP9756PTQsucrRTEchtScfBKWLl Eo7cWJc4Vcsfept+ixg0IiAxpwHATqwNTmq/giAeglFfeFmMHlXrhdOl Bl5myReo1gSXlpm0 +bvinOFRek/MUlYGLvDAq17noJag2k1oXrvhaNBo qWo= awrelaypool02.comcast.com. 3583 IN NSEC www.bat.comcast.com. A RRSIG NSEC ;; Query time: 46 msec ;; SERVER: 2001:4870:20ca:158:8c2f:b9ff:31f7:3836#53(2001:4870:20ca:158:8c2f:b9ff:31f7:3836) ;; WHEN: Sat Jul 06 21:13:36 Eastern Daylight Time 2013 ;; MSG SIZE rcvd: 520 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users