On Thu, Nov 21, 2013 at 09:48:52AM +1100, Mark Andrews wrote:
> [email protected]
> your choice of mail handler provider is causing operational
> problem.
Thanks, I've already notified NIST off-list. Any comments on the
work-around (avoiding TLSA lookup when the base-domain's A or AAAA
record is "insecure")?
> > $ secdig -t NS _25._tcp.nist-gov.mail.protection.outlook.com.
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30308
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> >
> > so clearly whatever DNS load-balancing kit is responsible for
> > mail.protection.outlook.com (the problem happens for all names
> > from this domain down) has a rather incomplete DNS implementation.
>
> Yep, it returns NOTIMP and the developers didn't think about what
> the correct response to a query type that you don't load should be.
If this is useful to anyone, the DNS servers in question are:
mail.protection.outlook.com. IN NS ns1-proddns.glbdns.o365filtering.com.
mail.protection.outlook.com. IN NS ns2-proddns.glbdns.o365filtering.com.
delegated from:
protection.outlook.com. IN NS ns2-gtm.glbdns.o365filtering.com.
protection.outlook.com. IN NS ns1-gtm.glbdns.o365filtering.com.
the latter don't appear to exhibit the problem.
> RFC 103[45] say what to return if the name exists and
> the type doesn't and it isn't NOTIMP.
In this case the name does not exist, so the nameserver should be
returning NXDOMAIN, but it snatches defeat from the jaws of victory
and indeed returns "NOTIMP":
; <<>> DiG 9.8.0rc1 <<>> +norecur -t TYPE52
_25._tcp.mail.protection.outlook.com. @ns1-proddns.glbdns.o365filtering.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 4960
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
which 8.8.8.8 relayed as SERVFAIL. If there is someone from
Microsoft on this list, please forward a pointer to thread to the
appropriate interested parties.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
