> On Apr 28, 2016, at 11:18 AM, Rob Heilman <rheil...@echolabs.net> wrote: > > We are seeing intermittent but frequent SERVFAIL errors for Microsoft owned > hostnames in MX records. Specifically with *.mail.protection.outlook.com > hostnames. In the BIND logs we see something like this: > > 28-Apr-2016 13:35:01.139 query-errors: debug 1: client 10.10.10.96#48950 > (pitt-edu.mail.protection.outlook.com): query failed (SERVFAIL) for > pitt-edu.mail.protection.outlook.com/IN/A at query.c:7004 > > That appears to be a fairly generic error in query.c: > > /* > * Something has gone wrong. > */ > QUERY_ERROR(DNS_R_SERVFAIL); > goto cleanup; > > Is anyone else seeing this? I suspect it has something to do with DNSSEC or > possibly AAAA records, but haven’t proved it yet. Any help would be greatly > appreciated.
Looks like (some of) the Microsoft authoritative servers are confused by dnssec. ~ ∙ dig +dnssec @ns1-proddns.glbdns.o365filtering.com pitt-edu.mail.protection.outlook.com ; <<>> DiG 9.8.3-P1 <<>> +dnssec @ns1-proddns.glbdns.o365filtering.com pitt-edu.mail.protection.outlook.com ; (4 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 54828 ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop