Consider the following scenario:

  • You have a domain name system (DNS) server that is running Windows Server 2012 R2.

  • The domain name system security extensions (DNSSEC) feature is enabled for root zones.

  • The A record exists in a domain within a delegated zone.

  • The DNS server processes a query and receives an A record response that requires validations to make sure that the domain is secure.

  • The included hashed authenticated denial of existence (NSEC3) record is expired in the DNS server cache, and a new secure validation query is made.

  • The DNS sends a query for the DS record to the delegated zone server.

  • The delegated zone server does not support the DNSSEC feature, and it responds with the NOT_IMPLEMENTED message.

In this scenario, the DNS server returns a SERVFAIL error to the client.


To resolve this issue, install the November 2014 update rollup for Windows RT 8.1, Windows 8.1, or Windows Server 2012 R2.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


See the terminology that Microsoft uses to describe software updates.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Any additional feedback? (Optional)

Thank you for your feedback!