none
DNS queries fail on secondary name servers using DNSSEC and hidden primary RRS feed

  • Question

  • Our DNSSEC architecture consists of a hidden primary and 3 secondary name servers all running Server 2012 R2.  Recently, our secondary servers lost communication with the hidden primary and external DNS queries failed.  This was unexpected since we expected to see queries continue to work but prevent zone updates.  Is there a setting in 2012 R2 to prevent this issue from occurring the event we have issues with our hidden primary?  Or are we running into a bug on the secondary name servers?  We had to disable DNSSEC and force our secondary servers to primary.  During troubleshooting, forcing a zone transfer would restore DNS but the issue repeated 24 hours later until DNSSEC was disabled.
    Thursday, November 19, 2015 10:27 PM

Answers

  • Hi,

    >> Recently, our secondary servers lost communication with the hidden primary and external DNS queries failed

       You could find out some detail error information on your DNS server event log, as it’s very useful sometimes.

    >> During troubleshooting, forcing a zone transfer would restore DNS but the issue repeated 24 hours later until DNSSEC was disabled

       You could disable the DNSSEC temporary, or reset your DNSSEC and perform zone update again.

    Here a hotfix link below which may be helpful for your issue:

    https://support.microsoft.com/en-us/kb/2962409

    For downloading ,navigate to 

    http://www.microsoft.com/en-us/download/details.aspx?id=43276

    Best regards,


    Monday, November 23, 2015 9:56 AM
    Moderator
  • On the primary zone copy, do you have the secondary servers added to the Name server list?

    Is the zone transfer settings set correctly?

    Do you have the DNSSEC set in group policy? What are the settings there?

    If you manually change it and it reverts back within a 24 hour time frame look at your GPO settings that have this set and make sure something was not changed causing this to revert.

    Monday, November 23, 2015 5:55 PM

All replies

  • Hi,

    >> Recently, our secondary servers lost communication with the hidden primary and external DNS queries failed

       You could find out some detail error information on your DNS server event log, as it’s very useful sometimes.

    >> During troubleshooting, forcing a zone transfer would restore DNS but the issue repeated 24 hours later until DNSSEC was disabled

       You could disable the DNSSEC temporary, or reset your DNSSEC and perform zone update again.

    Here a hotfix link below which may be helpful for your issue:

    https://support.microsoft.com/en-us/kb/2962409

    For downloading ,navigate to 

    http://www.microsoft.com/en-us/download/details.aspx?id=43276

    Best regards,


    Monday, November 23, 2015 9:56 AM
    Moderator
  • On the primary zone copy, do you have the secondary servers added to the Name server list?

    Is the zone transfer settings set correctly?

    Do you have the DNSSEC set in group policy? What are the settings there?

    If you manually change it and it reverts back within a 24 hour time frame look at your GPO settings that have this set and make sure something was not changed causing this to revert.

    Monday, November 23, 2015 5:55 PM
  • Thank you.  I believe the issue is with our zone transfer settings, specifically the zone expiry timer which by default is set to 24 hours.  We'll do some tweaking and testing and report back. 
    Tuesday, November 24, 2015 3:52 PM