SERVFAIL error from a Windows Server 2012 R2-based DNS server that has DNSSEC enabled

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 EssentialsWindows Server 2012 R2 Foundation More

Symptoms


Consider the following scenario:
  • You have a domain name system (DNS) server that is running Windows Server 2012 R2.
  • The domain name system security extensions (DNSSEC) feature is enabled for root zones.
  • The A record exists in a domain within a delegated zone.
  • The DNS server processes a query and receives an A record response that requires validations to make sure that the domain is secure.
  • The included hashed authenticated denial of existence (NSEC3) record is expired in the DNS server cache, and a new secure validation query is made.
  • The DNS sends a query for the DS record to the delegated zone server.
  • The delegated zone server does not support the DNSSEC feature, and it responds with the NOT_IMPLEMENTED message.
In this scenario, the DNS server returns a SERVFAIL error to the client.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References


See the terminology that Microsoft uses to describe software updates.