Re: DNSSEC broken for login.microsoftonline.com

2015-10-28 Thread Avdija Ahmedhodžić
Also, ns2.bdm.microsoftonline.com is offline for about 12 hours > On 27 Oct 2015, at 18:35, Tony Finch wrote: > > Bruce Curtis wrote: >> >> FYI our DNS requests to resolve login.microsoftonline.com are failing >> because of a DNSSEC error. > > There's no

Re: DNSSEC broken for login.microsoftonline.com

2015-10-28 Thread Tony Finch
Bruce Curtis wrote: > Drill run on one of our name servers shows that the error is > > Existence denied: microsoftonline.com No, drill just says there are no DS records which means the domain is insecure so any problems with it should be unrelated to DNSSEC. >

DNSSEC broken for login.microsoftonline.com

2015-10-27 Thread Bruce Curtis
FYI our DNS requests to resolve login.microsoftonline.com are failing because of a DNSSEC error. http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com http://dnsviz.net/d/login.microsoftonline.com/dnssec/ ns1 domain]$ drill -DT login.microsoftonline.com Warning: No trusted keys

Re: DNSSEC broken for login.microsoftonline.com

2015-10-27 Thread Tony Finch
Bruce Curtis wrote: > > FYI our DNS requests to resolve login.microsoftonline.com are failing > because of a DNSSEC error. There's no DS record for microsoftonline.com so you shouldn't have any DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't show any

Re: DNSSEC broken for login.microsoftonline.com

2015-10-27 Thread Bruce Curtis
> On Oct 27, 2015, at 12:35 PM, Tony Finch wrote: > > Bruce Curtis wrote: >> >> FYI our DNS requests to resolve login.microsoftonline.com are failing >> because of a DNSSEC error. > > There's no DS record for microsoftonline.com so you shouldn't have any

Re: DNSSEC broken for login.microsoftonline.com

2015-10-27 Thread Bruce Curtis
> On Oct 27, 2015, at 2:38 PM, Avdija Ahmedhodžić wrote: > > Also, ns2.bdm.microsoftonline.com is offline for about 12 hours The problems started yesterday, more than 12 hours ago. Thanks. > >> On 27 Oct 2015, at 18:35, Tony Finch wrote: >> >> Bruce Curtis

Re: DNSSEC broken for login.microsoftonline.com

2015-10-27 Thread Bruce Curtis
> On Oct 27, 2015, at 3:37 PM, Bruce Curtis wrote: > > >> On Oct 27, 2015, at 12:35 PM, Tony Finch wrote: >> >> Bruce Curtis wrote: >>> >>> FYI our DNS requests to resolve login.microsoftonline.com are failing >>> because of a

Re: DNSSEC broken for login.microsoftonline.com

2015-10-27 Thread Bruce Curtis
Actually login.microsoftonline.com is resolving but the CNAME it points to, login.microsoftonline.com.nsatc.net is not resolving because of a DNSSEC issue. [ns1 ~]$ drill -k /tmp/rootkey -DT login.microsoftonline.com.nsatc.net CNAME ;; Number of trusted keys: 2 ;; Domain: . [T] . 172800 IN