Server 2012 R2 - DNS with DNSSEC cannot resolve some CNAMEs

Hello,

I have upgraded Widnows Server 2008 R2 to 2012 R2. I have all services working and logs are without errors. The server has installed all updates including November and December 2014 cumulative updates.

I have implemented DNSSEC record vertification. DNS server is set up for recursion.

I have a problem with resolving some DNS names - CNAMEs, for example support.microsoft.com, login.live.com, dub122.mail.live.com, download.microsoft.com

When I clear DNS cache, it is working until TTL expires. Then I receive this error:

PS C:\> Resolve-DnsName support.microsoft.com -Server 192.168.1.101 -dnssecok
Resolve-DnsName : support.microsoft.com : DNS server failure
At line:1 char:1
+ Resolve-DnsName support.microsoft.com -Server 192.168.1.101 -dnssecok
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (support.microsoft.com:String) [Resolve-DnsName], Win32Exception
    + FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsName

I found something here http://support.microsoft.com/kb/3014172 but I have December update installed.
January 4th, 2015 10:19pm

Hi,

Usually, this issue is caused by the invalid trust anchor.

To install a trust anchor, please follow the procedure below,

Procedure: Deploy a Root Trust Point

http://technet.microsoft.com/en-us/library/dn593676.aspx

Also, please make sure that the forwarders support EDNS0.

If issue persists, to verify if it is an forwarder issue, please try to disable the forwarder and try again.

Best Regards.

Free Windows Admin Tool Kit Click here and download it now
January 7th, 2015 6:29am

Hi,

same problem here, Server 2012 R2 Essentials. The root trust anchors are deployed and everything is running fine except for some CNAMEs like support.microsoft.com. After the TTL is expired, DNS tries to get the DS-Records, which fails on Microsoft's nameservers. Then, DNS sends a server failure (RCODE 2) to the client.

I have all updates installed. Any other workaround than completely disabling DNSSEC?

Here is an example of the communication:

24.02.2015 22:32:09 29AC PACKET  0000003E602EC240 UDP Rcv 192.168.2.155   20d3   Q [2001   D   NOERROR] A      (7)support(9)microsoft(3)com(0)
UDP question info at 0000003E602EC240
  Socket = 524
  Remote addr 192.168.2.155, port 65275
  Time Query=948287, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0032 (50)
  Message:
    XID       0x20d3
    Flags     0x0120
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      CD        0
      AD        1
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   1
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(7)support(9)microsoft(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
    Offset = 0x0027, RR count = 0
    Name      "(0)"
      TYPE   OPT  (41)
      CLASS  4096
      TTL    0
      DLEN   0
      DATA   
		Buffer Size  = 4096
		Rcode Ext    = 0
		Rcode Full   = 0
		Version      = 0
		Flags        = 0

24.02.2015 22:32:09 29AC PACKET  0000003E602D0160 UDP Snd 65.55.117.41    5e6a   Q [1000       NOERROR] A      (11)smc-live-fe(14)trafficmanager(3)net(0)
UDP question info at 0000003E602D0160
  Socket = 17080
  Remote addr 65.55.117.41, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x003b (59)
  Message:
    XID       0x5e6a
    Flags     0x0010
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      CD        1
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   1
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(11)smc-live-fe(14)trafficmanager(3)net(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
    Offset = 0x0030, RR count = 0
    Name      "(0)"
      TYPE   OPT  (41)
      CLASS  4000
      TTL    32768
      DLEN   0
      DATA   
		Buffer Size  = 4000
		Rcode Ext    = 0
		Rcode Full   = 0
		Version      = 0
		Flags        = 80 DO

24.02.2015 22:32:09 29AC PACKET  0000003E60E061B0 UDP Rcv 65.55.117.41    5e6a R Q [0084 A     NOERROR] A      (11)smc-live-fe(14)trafficmanager(3)net(0)
UDP response info at 0000003E60E061B0
  Socket = 17080
  Remote addr 65.55.117.41, port 53
  Time Query=948287, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0062 (98)
  Message:
    XID       0x5e6a
    Flags     0x8400
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        1
      TC        0
      RD        0
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    1
    NSCOUNT   0
    ARCOUNT   1
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(11)smc-live-fe(14)trafficmanager(3)net(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
    Offset = 0x0030, RR count = 0
    Name      "[C00C](11)smc-live-fe(14)trafficmanager(3)net(0)"
      TYPE   CNAME  (5)
      CLASS  1
      TTL    300
      DLEN   27
      DATA   (15)smc-live-neu-fe(8)cloudapp[C027](3)net(0)
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
    Offset = 0x0057, RR count = 0
    Name      "(0)"
      TYPE   OPT  (41)
      CLASS  4000
      TTL    32768
      DLEN   0
      DATA   
		Buffer Size  = 4000
		Rcode Ext    = 0
		Rcode Full   = 0
		Version      = 0
		Flags        = 80 DO

24.02.2015 22:32:09 29AC PACKET  0000003E60D861D0 UDP Snd 204.79.195.41   61e1   Q [1000       NOERROR] DS     (11)smc-live-fe(14)trafficmanager(3)net(0)
UDP question info at 0000003E60D861D0
  Socket = 13056
  Remote addr 204.79.195.41, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x003b (59)
  Message:
    XID       0x61e1
    Flags     0x0010
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      CD        1
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   1
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(11)smc-live-fe(14)trafficmanager(3)net(0)"
      QTYPE   DS (43)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
    Offset = 0x0030, RR count = 0
    Name      "(0)"
      TYPE   OPT  (41)
      CLASS  4000
      TTL    32768
      DLEN   0
      DATA   
		Buffer Size  = 4000
		Rcode Ext    = 0
		Rcode Full   = 0
		Version      = 0
		Flags        = 80 DO

24.02.2015 22:32:09 29AC PACKET  0000003E6059A110 UDP Rcv 204.79.195.41   61e1 R Q [0280      SERVFAIL] DS     (11)smc-live-fe(14)trafficmanager(3)net(0)
UDP response info at 0000003E6059A110
  Socket = 13056
  Remote addr 204.79.195.41, port 53
  Time Query=948287, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x003b (59)
  Message:
    XID       0x61e1
    Flags     0x8002
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   1
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(11)smc-live-fe(14)trafficmanager(3)net(0)"
      QTYPE   DS (43)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
    Offset = 0x0030, RR count = 0
    Name      "(0)"
      TYPE   OPT  (41)
      CLASS  4000
      TTL    32768
      DLEN   0
      DATA   
		Buffer Size  = 4000
		Rcode Ext    = 0
		Rcode Full   = 2
		Version      = 0
		Flags        = 80 DO

24.02.2015 22:32:09 29AC PACKET  0000003E60D861D0 UDP Snd 65.55.117.41    61e1   Q [1000       NOERROR] DS     (11)smc-live-fe(14)trafficmanager(3)net(0)
UDP question info at 0000003E60D861D0
  Socket = 13056
  Remote addr 65.55.117.41, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x003b (59)
  Message:
    XID       0x61e1
    Flags     0x0010
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      CD        1
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   1
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(11)smc-live-fe(14)trafficmanager(3)net(0)"
      QTYPE   DS (43)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
    Offset = 0x0030, RR count = 0
    Name      "(0)"
      TYPE   OPT  (41)
      CLASS  4000
      TTL    32768
      DLEN   0
      DATA   
		Buffer Size  = 4000
		Rcode Ext    = 0
		Rcode Full   = 0
		Version      = 0
		Flags        = 80 DO

24.02.2015 22:32:09 29AC PACKET  0000003E605A6170 UDP Rcv 65.55.117.41    61e1 R Q [0280      SERVFAIL] DS     (11)smc-live-fe(14)trafficmanager(3)net(0)
UDP response info at 0000003E605A6170
  Socket = 13056
  Remote addr 65.55.117.41, port 53
  Time Query=948287, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x003b (59)
  Message:
    XID       0x61e1
    Flags     0x8002
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   1
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(11)smc-live-fe(14)trafficmanager(3)net(0)"
      QTYPE   DS (43)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
    Offset = 0x0030, RR count = 0
    Name      "(0)"
      TYPE   OPT  (41)
      CLASS  4000
      TTL    32768
      DLEN   0
      DATA   
		Buffer Size  = 4000
		Rcode Ext    = 0
		Rcode Full   = 2
		Version      = 0
		Flags        = 80 DO

24.02.2015 22:32:09 29AC PACKET  0000003E602EC240 UDP Snd 192.168.2.155   20d3 R Q [8281   DR SERVFAIL] A      (7)support(9)microsoft(3)com(0)
UDP response info at 0000003E602EC240
  Socket = 524
  Remote addr 192.168.2.155, port 65275
  Time Query=948287, Queued=948287, Expire=948290
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0032 (50)
  Message:
    XID       0x20d3
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      CD        0
      AD        0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   1
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(7)support(9)microsoft(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
    Offset = 0x0027, RR count = 0
    Name      "(0)"
      TYPE   OPT  (41)
      CLASS  4000
      TTL    0
      DLEN   0
      DATA   
		Buffer Size  = 4000
		Rcode Ext    = 0
		Rcode Full   = 2
		Version      = 0
		Flags        = 0

Thanks & best regards

February 24th, 2015 6:08pm

Hello,

I am currently working on this issue with Microsoft technician. When I will have a fix or workaround, I will let you know.

You may try setting

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Value: MaxCacheTTLData Type: DWORDData value: 60

Then restart DNS server. With this it is working a bit better but the issue still shows up irregularly.

Free Windows Admin Tool Kit Click here and download it now
February 25th, 2015 4:04am

Hello,

Did you find a solution?

Thanks !

Kind regards,

July 1st, 2015 12:53pm
Unfortunately no.
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2015 7:12pm

Hello,

I set up a new Win2012 R2 and activated DNS with DNSSec. Server is forwarding to google-DNS 8.8.8.8. All current patches / updates are installed.

If i query stores.office.com via 8.8.8.8 directly it works, if I use Win2012R2 as DNS-Server it fails:

C:\Program Files\BIND9.10.2>dig stores.office.com  +dnssec

; <<>> DiG 9.10.2-P1 <<>> stores.office.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18632
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;stores.office.com.             IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul 18 09:25:33 Pacific Daylight Time 2015
;; MSG SIZE  rcvd: 46

When I deactivate DNSSec everything works fine.

stores.office.com is a CName. Currently I cant use Win2012R2 as a validating DNS because some domains dont work.


  • Edited by TH4 12 hours 55 minutes ago
July 18th, 2015 12:42pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics