Consider the following scenario:
- You have a domain name system (DNS) server that is running Windows Server 2012 R2.
- The domain name system security extensions (DNSSEC) feature is enabled for root zones.
- The A record exists in a domain within a delegated zone.
- The DNS server processes a query and receives an A record response that requires validations to make sure that the domain is secure.
- The included hashed authenticated denial of existence (NSEC3) record is expired in the DNS server cache, and a new secure validation query is made.
- The DNS sends a query for the DS record to the delegated zone server.
- The delegated zone server does not support the DNSSEC feature, and it responds with the NOT_IMPLEMENTED message.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.