DNS - DNSSEC vs. sharepoint.com over Google Public DNS leads to "Host not found" error

Question

Hello, 
 we have configured the UTM (9.355-1) DNS according to "DNS best practice" by Bob Alfson and KB https://www.sophos.com/de-de/support/knowledgebase/120283.aspx . 
 The DNSSEC option in the UTM DNS Proxy/Forwarder is on and did not give us problems since 2013. 
 But now, something strange happens: 
 If we try to access "sharepoint.com" or "companyname- my . sharepoint .com" we get a "Host not found" error as long as DNSSEC is activated. 
 I have tested this on two different Environments over different ISPs and It seems like it does only affect this domain. 
 We'd like to keep the option enabled, because we still have some older ISP-Routers in front of the UTM for failover reasons and cache poisoning is not out of question. 
 Maybe someone could test this? 
 Or is the DNSSEC implementation of the UTM DNS Proxy worthless as it used to be with some typical older router Firmwares? 
 Best Regards, 
 HP

DouglasFoster · Accepted Answer

I stumbled on this thread while wondering whether to enable DNS SEC or not. 
 Exception process 
 This is my understanding of the problem: 
 
 UTM DNS SEC enforcement works perfectly. 
 However at least some domain owners have not implemented their DNS SEC configuration perfectly. 
 We have no control over domain owner mistakes 
 UTM has no options for configuring DNS SEC exceptions 
 Therefore if I will ever need a DNS SEC exception for at least one domain, UTM DNS SEC appears to be unusable for any domain. 
 
 I think we can roll our own exception process: 
 
 Assume the problem DNS entry is "something.example.com", so we need to exempt *.example.com 
 Assume that you have an internal DNS server, such as Active Directory, which provides internal DNS without DNS SEC enforcement, and relays to UTM (with DNS SEC enabled) for enforcement of external addresses. 
 Configure a conditional forwarder in Active Directory to send *.example.com directly to an external DNS service such as google at 8.8.8.8, bypassing UTM 
 Configure a conditional forwarder in UTM to send *.example.com to the Active Directory server, which should prevent UTM from detecting DNS SEC features for the example.com domain. 
 Repeat as needed when additional problem domains are detected. 
 
 Unfortunately, users need to experience problems before the need for exceptions can be identified. 
 It may also be difficult to know that the problem is with DNS SEC and not with a host that is down or not reachable. 
 Bandwidth Issues 
 Does anyone have operating experience with the bandwidth impact when switching from weak DNS to DNS SEC? I have been reluctant to switch because of network load concerns.