locked
Unable to resolve ims-na1.adobelogin.com with DNSSEC validation enabled RRS feed

  • Question

  • Hello,

    after investigation of user complain related to Adobe software activation, we have discovered, that when we enable "DNSSEC validation for remote responses" in DNS server configuration that server stops resolving domain ims-na1.adobelogin.com that is used in activation proccess.

    The domain itself doesn't seems to have DNSSEC records so its really confusing.

    Anyone have any idea what can be wrong?

    Or even better how to solve the issue in a way that allows us keep enabled DNSSEC validation?

    Monday, May 15, 2017 7:32 AM

All replies

  • I forgot to mention that we run Windows 2012 R2 on DNS server.

    I have also found this article on Adobe forum that sugest, that Adobe DNS is somehow broken-  https://forums.adobe.com/thread/1709716.

    Maybe its related.


    Monday, May 15, 2017 7:35 AM
  • Hi Antonin Mares,

    >>I have also found this article on Adobe forum that sugest, that Adobe DNS is somehow broken-  https://forums.adobe.com/thread/1709716

    From your post and my research, it seems like Adobe DNS records did not have any  DNSSEC values.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 1, 2017 6:57 AM
  • Hi Antonin Mares

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 8, 2017 7:13 AM
  • From your post and my research, it seems like Adobe DNS records did not have any DNSSEC values.

    That's true, neither adobe.com nor adobejanus.com is DNSSEC signed. But I can reproduce the exact same situation in our net: As soon as we enabled DNSSEC validation on our AD DC (DNS Resolver for the clients in the office), two thing didn't work anymore:

    - the login form on the Adobe Website (after clicking on the Login-Link on top right, you get to a page on a subdomain: https://adobeid-na1.services.adobe.com/(...) which cannot be resolved in that moment

    - Launching the "Adobe Cloud"-Thingie-Software (from which some users log-in to the Adobe Cloud + launch applications like Photoshop, even if they are locally installed)

    As said, those domains are not DNSSEC "enabled" as in "signed with DNSSEC", but they have some CNAMEs pointing to a different domain - and I guess there is either a very strict rule that leads to deny giving DNS answers, of just a bug on the resolver. At least as long as DNSSEC validation on the resolver is enabled (I guess this also adds additional checks/rules besides the pure signature checks).

    Would be cool if one of you at Microsoft could try to test this and let us know if you can reproduce the same problems as we've outlined above. As Antonin said, the Adobe forum is "full of" (ok, 3+ entries) on that topic, so it seems to be of some relevance...

    Best wishes,

    Mario

    Tuesday, June 13, 2017 11:12 PM
  • This is absolutely annoying. Two years gone, still the same. No reply, nothing.

    What wants us Microsoft to think? Shall we better use Bind9 DNS instead of Microsoft DNS Server?

    Wednesday, September 18, 2019 2:04 PM
  • I just found out the same issue here, after enable DNSSEC on our Windows server 
    ims-na1.adobelogin.com stops working :(

    Raymond Rothengatter - RayFlexCom

    Thursday, July 30, 2020 1:02 PM
  • Absolutely ridiculous. Nobody feels responsible when one reports a DNSSEC related problem. And there were many. Not only with Adobe. Neither the site administrator, nor the DNS administrator, nor the hoster nor microsoft on resolvers side. Nobody.

    I ended up with deactivating DNSSEC via Powershell.

    Thursday, July 30, 2020 3:02 PM
  • First good answer after years! At our DNS scenario the aging of records is completely disabled. Never heard that aging has to be enabled to function DNSSEC properly, but from what you wrote... it makes absolutely sense!!

    Let's hear what others say. But this may be the correct answer for this problem.

    Tuesday, August 4, 2020 3:44 PM