Symptoms
Consider the following scenario:
-
You have a domain name system (DNS) server that is running Windows Server 2012 R2.
-
The domain name system security extensions (DNSSEC) feature is enabled for root zones.
-
The A record exists in a domain within a delegated zone.
-
The DNS server processes a query and receives an A record response that requires validations to make sure that the domain is secure.
-
The included hashed authenticated denial of existence (NSEC3) record is expired in the DNS server cache, and a new secure validation query is made.
-
The DNS sends a query for the DS record to the delegated zone server.
-
The delegated zone server does not support the DNSSEC feature, and it responds with the NOT_IMPLEMENTED message.
In this scenario, the DNS server returns a SERVFAIL error to the client.
Resolution
To resolve this issue, install the November 2014 update rollup for Windows RT 8.1, Windows 8.1, or Windows Server 2012 R2.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
See the terminology that Microsoft uses to describe software updates.
