[Pdns-users] PowerDNS Recursor does not provide correct answer to Postfix

[Steve Atkins]

> On Aug 18, 2016, at 8:11 AM, David <opendak at shaw.ca> wrote:
> 
> On 2016-08-18 8:37 AM, Pieter Lexis wrote:
>> Hi Michael,
>> 
>> On Thu, 18 Aug 2016 14:20:25 +0000
>> Michael <mine at michi.su> wrote:
>> 
>>> Last week I updated to Ubuntu 16.04. So I have a new Postfix version
>>> (3.1.0) as well as a new pdns_recursor version (4.0.0-alpha2).
>>> 
>>> Since this update Postfix does not receive correct answers for a
>>> particular query anymore. Concretely, queries for A entries of
>>> Office365 mail servers.
>>> 
>>> For example if Postfix asks for the A entry of
>>> nxp-com.mail.protection.outlook.com, pdns_recursor returns to Postfix
>>> that there does not exists a A record.
>>> However, if I manually do this query with dig, I do get an correct
>>> answer. Please see the logs at the end of the mail.
>>> 
>>> Besides the queries of Office365 mail servers, the rest is working
>>> fine. I have no idea how to track down that issue? Is there any
>>> setting in pdns_recursor I have to change?
>> 
>> Postfix might be asking for DNSSEC, which is finiky in the alpha version Ubuntu pulled in. Can you install 4.0.1 from our repositories[1] and try again? 4.0.1 has about 5 months more development time in it.
>> 
> 
> Also see: https://www.mail-archive.com/mailop@mailop.org/msg01648.html for more information on how Microsoft does DNS and the issues encountered with Office365. (DNSSEC and EDNS issues, IIRC).
> 

Their load balancers return FORMERR in response to DNSSEC (or any EDNS, I presume) requests. It's been an ongoing issue (and I've seen it cause resolution problems previously, with pdns_recursor 3.something).

Speculation was that it was something to do with short TTLs and/or packet size limitations somewhere on the resolution path. I don't think anyone has looked at the traffic deeply enough to say for sure.

Cheers,
  Steve