On Wed, Oct 06, 2021 at 10:44:46AM +0000, Martin George wrote: > I was wondering if anyone else has noticed this behaviour previously,
See: <https://datatracker.ietf.org/doc/html/rfc7672#section-2.2.2> Note that DNS queries with type TLSA are mishandled by load-balancing nameservers that serve the MX hostnames of some large email providers. The DNS zones served by these nameservers are not signed and contain no TLSA records. These nameservers SHOULD provide "insecure" negative replies that indicate the nonexistence of the TLSA records, but instead they fail by not responding at all or by responding with a DNS RCODE [RFC1035] other than NXDOMAIN, e.g., SERVFAIL or NOTIMP [RFC2136]. That text was composed in 2013, and is specifically, thought not explicitly, about Microsoft's mail.protection.outlook.com. Not only do the nameservers not support EDNS, they also mishandle queries for unusual RRtypes, by incorrectly returning NOTIMP, rather than SERVFAIL. > and could provide any reasoning behind it? Is anyone else seeing > failures with queries for mail.protection.outlook.com and any child > zones of the aforementioned? This behaviour is at least 8.5 years old. The reason is that they're getting away with it. Most resolvers handle this by retrying without EDNS after FORMERR. If a resolver stops supporting non-EDNS servers, it becomes unable to resolve names under mail.protection.outlook.com. -- VIktor. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
