none
DNSSEC Validation Creating Problems for SQL Clusters RRS feed

  • Question

  • Our company is in the process of enabling DNSSEC in the environment.  Just recently we finished up the deployment and enabled DNSSEC validation on all of the machines in the network.  The implementation worked beautifully in our environment, except in our SQL clusters.

    Symptom

    You ping any DNSSEC protected host in the network by DNS name: host not found.  You ping that same host by IP address--ping is successful.  DNS is failing to resolve host names.  As soon as we disable DNSSEC validation, the problem goes away.

    Environment

    • We have a parent/child domain configuration: PARENT.com and CHILD.PARENT.com.
    • All SQL clusters have two nodes.  In this case, ACTIVE/PASSIVE.  Windows Server 2012 (non-R2).

    Additional Details

    All of our SQL clusters and most domain controllers are located on CHILD.PARENT.com.  When I setup wireshark and monitor the DNS resolution behavior, I'm seeing that nearly every time I try to ping DC05, the server is trying to ping DC05.PARENT.com.  This server doesn't exist on PARENT.com.  Instead, the server should be trying to ping DC05.CHILD.PARENT.com.  So the domain suffix is incorrect.

    But when I check the network adapter and use the Get-DnsClientGlobalSetting command, the search order is correct: CHILD.PARENT.com, then PARENT.com.

    So then I try to ping "DC05.CHILD.PARENT.COM" directly and it still fails.

    And when I remove DNSSEC validation, the problem goes away.  This strange issue is only affecting our SQL clusters.  All other machines work beautifully.

    This one is really baffling me...any input would be appreciated.

    Tuesday, March 1, 2016 8:57 PM

All replies

  • Hi Mike,

    1.Did you have tried run Nslookup with DC05?

    2.Cluster name you set,it is a netbios name,please clear the netbios cache or disable netbios over tcp/ip,and try to ping again.

    3.Try a workaround,set DC05.child.parent.com as a CNAME to DC05.parent.com

    4.If you are using Winserver 2008r2,this link may help: <ins>https://support.microsoft.com/en-us/kb/2724183</ins>

     

      Best Regards,

    Cartman


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, March 2, 2016 6:05 AM
  • Hello Cartman,

    I really appreciate the response.

    1. I ran an NSLOOKUP and it works successfully, but according to this article, NSLOOKUP uses an internal DNS client that is not DNSSEC-aware

    https://technet.microsoft.com/en-us/library/jj200221.aspx#validation

    But when I use the 'resolve-dnsname' cmdlet in powershell, which is DNSSEC aware, I get a response that the host doesn't exist.  According to wireshark, I'm trying to resolve DC05.PARENT.com when it should actually be DC05.CHILD.PARENT.com.

    2. I went ahead and disabled netbios on the NIC.  I also went ahead and cleared the cache.  The problem remains.

    3. Even if the workaround works, we would likely need to setup dozens of CNAMES because the problem affects connects to all servers, not just DC05.

    4. Windows Server 2008 R2 is not in the equation...

    Thank you for the input.  If anything else comes to mind, please let me know!

    Wednesday, March 2, 2016 2:38 PM
  • Hi Mike,

    Read this KB for more informations:

    https://support.microsoft.com/en-us/kb/3051472

      Best Regards,

    Cartman

    Sunday, March 6, 2016 10:17 AM
  • Hi Mike,

    I don't know if it is possible for you or not. I wanted to know if you stop cluster service on the nodes, does it work.

    Awaiting your reply.


    Monday, March 14, 2016 6:01 PM
  • Hi Cartman, 

    I appreciate you taking the time to help out on this.  I wanted to give you an update on this issue.  One month ago I created a case with Microsoft support.  They still haven't been able to resolve this issue.  I've had them connect into my environment multiple times.  I've sent them many logs.

    Tier 1 was unable to figure out the problem.  Then tier 2 was unable to figure out the problem.  Now their debugging team is working on this issue (likely tier 3).  I'm still working with them to determine a solution to this problem.

    Mike

    Thursday, March 31, 2016 1:30 PM
  • Hi Mike,

    Thank you for telling me that,pleas share to us when you get the solution.

    Best Regards,

    Cartman

    Tuesday, April 5, 2016 7:39 AM
  • Hi,

    I assume that you signed both PARENT.com and CHILD.PARENT.com.

    What trust anchors are installed on your recursive DNS servers?

    You can have just the parent trust anchor if the child zone has a DS record uploaded to the parent. Otherwise, you can add trust anchors for both zones and this would also work.

    Thanks,

    -Greg

    Tuesday, September 12, 2017 9:46 PM
    Owner