BIND9 SERVFAIL Issue with Windows 2008 R2 DNS Server
Spain, Dr. Jeffry A.
spainj at countryday.net
Sun Jul 7 20:12:54 UTC 2013
>> Based on a Microsoft tech support case that I opened, the only way to fix this was to turn off EDNS ("dnscmd /config /EnableEDnsProbes 0").
>> This also seems to have been fixed in Windows Server 2012.
> What a bummer, this essentially stops anyone from using DNSSEC validation correctly on R2. And while DNSSEC validation is a useful utility, what concerns me more is the inability for other organizations / entities to be able to look up our DNSSEC signed zones, especially with the fact that IPv6 is enabled by default on R2, causing unanticipated service failures for these organizations / entities.
I think the best bet with Windows Server 2008 R2 DNS is to disable recursion, turn off EDNS ("dnscmd /config /EnableEDnsProbes 0"), and continue to use one or more DNSSEC-enabled BIND 9 recursive resolvers as a forwarders ("options { dnssec-validation auto; allow-query { domain-controllers; }; allow-recursion { domain-controllers; }; };"). If you do this, querying the domain controller with "dig badsign-A.test.dnssec-tools.org" does return a proper SERVFAIL response. DNSSEC-validation is being performed by the BIND resolver, but this is transparent to the Windows environment.
I have continued to do things this way with my Windows Server 2012 domain controllers, although as you pointed out, it hasn't been necessary to disable EDNS since the CD flag in queries from the domain controller to the forwarders is cleared by default in this version.
Back to your original question, I have a Windows Server 2008 R2 test VM available and so built a domain controller and attempted to confirm your findings with dig, shown below. All four dig queries returned NOERROR. The query "dig mx2.comcast.com srv +dnssec" caused the domain controller to query the forwarder, which returned the Authority records in the order shown below. This was confirmed by Wireshark, and is the same order as shown in your queries posted earlier. If I understand you correctly, this contradicts your hypothesis that Windows Server 2008 R2 DNS requires that the SOA record be returned first in the Authority section to avoid a SERVFAIL response.
Regards, Jeff.
--------------------
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.
PS C:\> dig mx2.comcast.com srv +dnssec
; <<>> DiG 9.9.3 <<>> mx2.comcast.com srv +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32036
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;mx2.comcast.com. IN SRV
;; AUTHORITY SECTION:
mx2.comcast.com. 60 IN NSEC mx3.comcast.com. A RRSIG NSEC
mx2.comcast.com. 3600 IN RRSIG NSEC 5 3 3600 20130711200520 20130704170020 2643 comcast.com. pmOHJX7dSN
uFSRiFvxNIIuhQk/Sh6/9xSiZ2wj2I6RDKkrQlDScdFjDB nSpeWt9068Wq+aQE36dbTsvyyCKgtrPcJIUxKVCtsXzTavXdx9XVGwG9 cKF6TrQx+MGPRwRw
jPorDmPJxImveGMeE7X4Nl1mkGk/lRJwbvk1yFWV w1w=
;; Query time: 124 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul 07 15:46:43 Eastern Daylight Time 2013
;; MSG SIZE rcvd: 252
PS C:\> dig '@2001:4870:20ca:158:8c2f:b9ff:31f7:3836' mx2.comcast.com srv +dnssec
; <<>> DiG 9.9.3 <<>> @2001:4870:20ca:158:8c2f:b9ff:31f7:3836 mx2.comcast.com srv +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48676
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mx2.comcast.com. IN SRV
;; AUTHORITY SECTION:
mx2.comcast.com. 3600 IN RRSIG NSEC 5 3 3600 20130711200520 20130704170020 2643 comcast.com. pmOHJX7dSN
uFSRiFvxNIIuhQk/Sh6/9xSiZ2wj2I6RDKkrQlDScdFjDB nSpeWt9068Wq+aQE36dbTsvyyCKgtrPcJIUxKVCtsXzTavXdx9XVGwG9 cKF6TrQx+MGPRwRw
jPorDmPJxImveGMeE7X4Nl1mkGk/lRJwbvk1yFWV w1w=
mx2.comcast.com. 3600 IN NSEC mx3.comcast.com. A RRSIG NSEC
comcast.com. 3600 IN SOA dns101.comcast.net. domregtech.comcastonline.com. 2009085823 7200 3600 1
209600 3600
comcast.com. 3600 IN RRSIG SOA 5 2 3600 20130711200520 20130704170020 2643 comcast.com. Te6jKcUXakW
pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6
zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s=
;; Query time: 78 msec
;; SERVER: 2001:4870:20ca:158:8c2f:b9ff:31f7:3836#53(2001:4870:20ca:158:8c2f:b9ff:31f7:3836)
;; WHEN: Sun Jul 07 15:48:32 Eastern Daylight Time 2013
;; MSG SIZE rcvd: 502
PS C:\> dig bat.comcast.com srv +dnssec
; <<>> DiG 9.9.3 <<>> bat.comcast.com srv +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49117
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;bat.comcast.com. IN SRV
;; AUTHORITY SECTION:
comcast.com. 900 IN SOA dns101.comcast.net. domregtech.comcastonline.com. 2009085823 7200 3600 1
209600 3600
comcast.com. 900 IN RRSIG SOA 5 2 3600 20130711200520 20130704170020 2643 comcast.com. Te6jKcUXakW
pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6
zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s=
awrelaypool02.comcast.com. 900 IN NSEC www.bat.comcast.com. A RRSIG NSEC
;; Query time: 62 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul 07 15:48:49 Eastern Daylight Time 2013
;; MSG SIZE rcvd: 349
PS C:\> dig '@2001:4870:20ca:158:8c2f:b9ff:31f7:3836' bat.comcast.com srv +dnssec
; <<>> DiG 9.9.3 <<>> @2001:4870:20ca:158:8c2f:b9ff:31f7:3836 bat.comcast.com srv +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30832
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bat.comcast.com. IN SRV
;; AUTHORITY SECTION:
comcast.com. 3600 IN SOA dns101.comcast.net. domregtech.comcastonline.com. 2009085823 7200 3600 1
209600 3600
comcast.com. 3600 IN RRSIG SOA 5 2 3600 20130711200520 20130704170020 2643 comcast.com. Te6jKcUXakW
pPGQYpZICPShPZYEHHEcCnfFoof6VfOLPhhQP5MlWMbni QSQTY1UZLLCqU0j2U5n48wAMrSLSXoye+9W+pFnHtSl00fCQoQJ2ts+x DDQkdcJo2jWhNHGr6
zsP6y9clhLUkFRW7ZVdqCV62KtTumU8Qe4UOjNK R3s=
awrelaypool02.comcast.com. 3600 IN RRSIG NSEC 5 3 3600 20130711200520 20130704170020 2643 comcast.com. U87nbvAj7j
7pAk4kigqMyVy8XDeHqRP9756PTQsucrRTEchtScfBKWLl Eo7cWJc4Vcsfept+ixg0IiAxpwHATqwNTmq/giAeglFfeFmMHlXrhdOl Bl5myReo1gSXlpm0
+bvinOFRek/MUlYGLvDAq17noJag2k1oXrvhaNBo qWo=
awrelaypool02.comcast.com. 3600 IN NSEC www.bat.comcast.com. A RRSIG NSEC
;; Query time: 78 msec
;; SERVER: 2001:4870:20ca:158:8c2f:b9ff:31f7:3836#53(2001:4870:20ca:158:8c2f:b9ff:31f7:3836)
;; WHEN: Sun Jul 07 15:49:05 Eastern Daylight Time 2013
;; MSG SIZE rcvd: 520
More information about the bind-users
mailing list