>> Based on a Microsoft tech support case that I opened, the only way to fix
>> this was to turn off EDNS ("dnscmd /config /EnableEDnsProbes 0").
>> This also seems to have been fixed in Windows Server 2012.
> What a bummer, this essentially stops anyone from using DNSSEC validation
> correctly
> This turned out to be happening because Windows DNS was actually sending its
> query as "dig badsign-A.test.dnssec-tools.org +dnssec +cdflag", in other
> words telling BIND not to perform DNSSEC validation.
Agreed. Looking at a Wireshark capture, it does look like this was the
case with the Wi
> Perhaps someone who has a Windows 2008 R2 domain can go ahead and confirm
> this, but so far the only way I can see to mitigate this issue is either:
> 1. Disable EDNS on Windows 2008 R2 (which essentially disables the ability to
> accept DNSSEC based responses) or 2. Disable DNSSEC support in
Hi Jeff.
Thanks for the quick response.
I have tested this behavior on our test Windows 2012 Server instance,
and just like what you have found, the responses indeed return with a
NOERROR instead of a SERVFAIL. On the very same identical stock
configuration (except with forwarders set), Windows 200
4 matches
Mail list logo
