> On Aug 18, 2016, at 8:11 AM, David <open...@shaw.ca> wrote: > > On 2016-08-18 8:37 AM, Pieter Lexis wrote: >> Hi Michael, >> >> On Thu, 18 Aug 2016 14:20:25 +0000 >> Michael <m...@michi.su> wrote: >> >>> Last week I updated to Ubuntu 16.04. So I have a new Postfix version >>> (3.1.0) as well as a new pdns_recursor version (4.0.0-alpha2). >>> >>> Since this update Postfix does not receive correct answers for a >>> particular query anymore. Concretely, queries for A entries of >>> Office365 mail servers. >>> >>> For example if Postfix asks for the A entry of >>> nxp-com.mail.protection.outlook.com, pdns_recursor returns to Postfix >>> that there does not exists a A record. >>> However, if I manually do this query with dig, I do get an correct >>> answer. Please see the logs at the end of the mail. >>> >>> Besides the queries of Office365 mail servers, the rest is working >>> fine. I have no idea how to track down that issue? Is there any >>> setting in pdns_recursor I have to change? >> >> Postfix might be asking for DNSSEC, which is finiky in the alpha version >> Ubuntu pulled in. Can you install 4.0.1 from our repositories[1] and try >> again? 4.0.1 has about 5 months more development time in it. >> > > Also see: https://www.mail-archive.com/mailop@mailop.org/msg01648.html for > more information on how Microsoft does DNS and the issues encountered with > Office365. (DNSSEC and EDNS issues, IIRC). >
Their load balancers return FORMERR in response to DNSSEC (or any EDNS, I presume) requests. It's been an ongoing issue (and I've seen it cause resolution problems previously, with pdns_recursor 3.something). Speculation was that it was something to do with short TTLs and/or packet size limitations somewhere on the resolution path. I don't think anyone has looked at the traffic deeply enough to say for sure. Cheers, Steve _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
