BIND9 SERVFAIL Issue with Windows 2008 R2 DNS Server

David Lam davlam at
Sun Jul 7 07:38:48 UTC 2013

Hi Jeff.
Thanks for the quick response.
I have tested this behavior on our test Windows 2012 Server instance,
and just like what you have found, the responses indeed return with a
NOERROR instead of a SERVFAIL. On the very same identical stock
configuration (except with forwarders set), Windows 2008 R2 fails with
a SERVFAIL as described in my email. Seemingly it looks like an oddity
with Windows 2008 R2 in terms of how the records are parsed, although
I still find it quite odd that BIND9 fiddles around with the ordering
of these RRs and get Windows confused in the first place.
Perhaps someone who has a Windows 2008 R2 domain can go ahead and
confirm this, but so far the only way I can see to mitigate this issue
is either:

1. Disable EDNS on Windows 2008 R2 (which essentially disables the
ability to accept DNSSEC based responses)
2. Disable DNSSEC support in BIND9 with dnssec-enable no; (setting
dnssec-validation no; has no effect)

Anyone here has any thoughts?

David Lam
Security Administrator
Information Educational Technology
davlam at
(530) 752-6971

More information about the bind-users mailing list