locked
Unable to resolve ims-na1.adobelogin.com with DNSSEC validation enabled RRS feed

  • 質問

  • Hello,

    after investigation of user complain related to Adobe software activation, we have discovered, that when we enable "DNSSEC validation for remote responses" in DNS server configuration that server stops resolving domain ims-na1.adobelogin.com that is used in activation proccess.

    The domain itself doesn't seems to have DNSSEC records so its really confusing.

    Anyone have any idea what can be wrong?

    Or even better how to solve the issue in a way that allows us keep enabled DNSSEC validation?

    2017年5月15日 7:32

すべての返信

  • I forgot to mention that we run Windows 2012 R2 on DNS server.

    I have also found this article on Adobe forum that sugest, that Adobe DNS is somehow broken-  https://forums.adobe.com/thread/1709716.

    Maybe its related.


    2017年5月15日 7:35
  • Hi Antonin Mares,

    >>I have also found this article on Adobe forum that sugest, that Adobe DNS is somehow broken-  https://forums.adobe.com/thread/1709716

    From your post and my research, it seems like Adobe DNS records did not have any  DNSSEC values.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2017年6月1日 6:57
  • Hi Antonin Mares

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2017年6月8日 7:13
  • From your post and my research, it seems like Adobe DNS records did not have any DNSSEC values.

    That's true, neither adobe.com nor adobejanus.com is DNSSEC signed. But I can reproduce the exact same situation in our net: As soon as we enabled DNSSEC validation on our AD DC (DNS Resolver for the clients in the office), two thing didn't work anymore:

    - the login form on the Adobe Website (after clicking on the Login-Link on top right, you get to a page on a subdomain: https://adobeid-na1.services.adobe.com/(...) which cannot be resolved in that moment

    - Launching the "Adobe Cloud"-Thingie-Software (from which some users log-in to the Adobe Cloud + launch applications like Photoshop, even if they are locally installed)

    As said, those domains are not DNSSEC "enabled" as in "signed with DNSSEC", but they have some CNAMEs pointing to a different domain - and I guess there is either a very strict rule that leads to deny giving DNS answers, of just a bug on the resolver. At least as long as DNSSEC validation on the resolver is enabled (I guess this also adds additional checks/rules besides the pure signature checks).

    Would be cool if one of you at Microsoft could try to test this and let us know if you can reproduce the same problems as we've outlined above. As Antonin said, the Adobe forum is "full of" (ok, 3+ entries) on that topic, so it seems to be of some relevance...

    Best wishes,

    Mario

    2017年6月13日 23:12
  • This is absolutely annoying. Two years gone, still the same. No reply, nothing.

    What wants us Microsoft to think? Shall we better use Bind9 DNS instead of Microsoft DNS Server?

    2019年9月18日 14:04
  • I just found out the same issue here, after enable DNSSEC on our Windows server 
    ims-na1.adobelogin.com stops working :(

    Raymond Rothengatter - RayFlexCom

    2020年7月30日 13:02
  • Absolutely ridiculous. Nobody feels responsible when one reports a DNSSEC related problem. And there were many. Not only with Adobe. Neither the site administrator, nor the DNS administrator, nor the hoster nor microsoft on resolvers side. Nobody.

    I ended up with deactivating DNSSEC via Powershell.

    2020年7月30日 15:02
  • First good answer after years! At our DNS scenario the aging of records is completely disabled. Never heard that aging has to be enabled to function DNSSEC properly, but from what you wrote... it makes absolutely sense!!

    Let's hear what others say. But this may be the correct answer for this problem.

    2020年8月4日 15:44