Windows Server DNS Server does not Resolve some Names when Forwarders and DNSSEC Validation are configured.

Question

I enable DNSSEC validation and configure a forwarder 9.9.9.9 in DNS Manager of Windows 2022.

In the DNS Manager I clear the DNS Cache of the Windows DNS Server.

I execute the following:

nslookup xwkm5qky.r.eu-west-1.awstrack.me. myservername

The reply is always SERVFAIL.

I can see in the network capture that the DNS server is trying to resolve a DS query for

xwkm5qky.r.eu-west-1.awstrack.me

r.eu-west-1.awstrack.me

r.delegate.eu-west-1.awstrack.me

com

amazonaws.com

The reply for amazonaws.com is NSEC3 indicating that this zone is not signed. It seems like the DNS server is assuming that the zone awstrack.me is DNSSEC signed. However there is no query neither for "me" nor for "awstrack.me".

When I remove a forwarder then I can see in the network capture that the DNS Server will also do a DS query for "me" and "awstrack.me". It receives NSEC3 for awstrack.me indicating that this zone is not signed and returns the IP addresses for xwkm5qky.r.eu-west-1.awstrack.me.

There is something broken when forwarders are used.

It happens on Windows Server 2022 (Version 10.0.20348.2762) and Windows Server 2019. It does not matter which forwarder is used, The same with 8.8.8.8 and 1.1.1.1.

Answer 1

Hello,

The issue you are experiencing with DNSSEC validation and forwarders on Windows Server 2022 and Windows Server 2019 is related to how the DNS server handles trust anchors and insecure zones. When forwarders are used, the DNS server may incorrectly assume that certain zones are DNSSEC signed, leading to SERVFAIL errors. This behavior is due to expired BOGUS records not being properly updated or deleted, causing the DNS server to fail the operation when it encounters a secured zone without supporting DNSSEC records.

The workaround is to remove the root trust anchor.

Get-DnsServerTrustAnchor -Name . | Remove-DnsServerTrustAnchor -Force

Best Regards

Zunhui