EXODnssecForVerifiedDomain: False Drift Detection on Unknown Status #6772
Description
Description of the issue
The EXODnssecForVerifiedDomain resource reports false configuration drift and executes unnecessary Set operations because DnssecFeatureStatus=Unknown is treated as a valid configuration state rather than an error condition.
Analysis
We identified two main scenarios where the resource returns DnssecFeatureStatus=Unknown:
Testfinishes with no errors, but takes longer. Note how successful consistency checks complete in <2 seconds, but failed invocations take ~20 seconds:
| TimeStamp | MessageBody |
|---|---|
| 2025-09-25 18:34:05.218 | [LCM-M365DSC]: [[EXODnssecForVerifiedDomain]contoso.com] Test-TargetResource returned True |
| 2025-09-25 18:34:05.218 | [LCM-M365DSC]: LCM: [ End Test ] [[EXODnssecForVerifiedDomain]contoso.com] in 1.2040 seconds. |
| 2025-09-25 20:33:24.396 | [LCM-M365DSC]: [[EXODnssecForVerifiedDomain]contoso.com] Test-TargetResource returned True |
| 2025-09-25 20:33:24.396 | [LCM-M365DSC]: LCM: [ End Test ] [[EXODnssecForVerifiedDomain]contoso.com] in 1.2190 seconds. |
| 2025-09-25 21:46:48.938 | [LCM-M365DSC]: [[EXODnssecForVerifiedDomain]contoso.com] Test-TargetResource returned True |
| 2025-09-25 21:46:48.938 | [LCM-M365DSC]: LCM: [ End Test ] [[EXODnssecForVerifiedDomain]contoso.com] in 1.5940 seconds. |
| 2025-09-25 23:34:44.053 | [LCM-M365DSC]: [[EXODnssecForVerifiedDomain]contoso.com] Test-TargetResource returned False |
| 2025-09-25 23:34:44.053 | [LCM-M365DSC]: LCM: [ End Test ] [[EXODnssecForVerifiedDomain]contoso.com] in 20.4400 seconds. |
| 2025-09-26 01:34:08.085 | [LCM-M365DSC]: [[EXODnssecForVerifiedDomain]contoso.com] Test-TargetResource returned True |
| 2025-09-26 01:34:08.085 | [LCM-M365DSC]: LCM: [ End Test ] [[EXODnssecForVerifiedDomain]contoso.com] in 1.9380 seconds. |
We have many instances of EXODnssecForVerifiedDomain resources. This issue occurs intermittently to random domains, which can indicate that throttling or timed out requests are involved, similar to the issue noted in #6771.
Testdoes not handle errors fromGet(viaTest-M365DSCTargetResource), logs drift without failing:
Displaying verbose messages from Powershell DSC resource:
ResourceID : [EXODnssecForVerifiedDomain]contoso.com
Message : [LCM-M365DSC]: [[EXODnssecForVerifiedDomain]contoso.com] A server side error has occurred because of which the operation could not be completed. Please try again after some time. If the problem still persists, please reach out to MS support.
In both cases, the Get function returns DnssecFeatureStatus=Unknown, causing the resource to incorrectly proceed to Set.
Root Cause
There are three distinct issues with error handling:
1. Suppressed cmdlet errors: Get-DnssecStatusForVerifiedDomain must not use -ErrorAction SilentlyContinue. This prevents proper error visibility and handling.
2. Ignored output diagnostics: According to the documentation, the output object returned by Get-DnssecStatusForVerifiedDomain includes Errors and Warnings arrays:
DnssecFeatureStatus : Enabled
ExpectedMxRecord : Microsoft.Exchange.Management.ProvisioningTasks.ExpectedMxRecordInfo
Errors : {}
Warnings : {}
DnsValidation : Microsoft.Exchange.Management.ProvisioningTasks.DnsValidationResult
MxValidation : Microsoft.Exchange.Management.ProvisioningTasks.MxValidationResult
MtaStsValidation : Microsoft.Exchange.Management.ProvisioningTasks.MtaStsValidationResult
The resource does not check or handle them in any way:
$nullResult = $PSBoundParameters
$nullResult.DnssecFeatureStatus = 'Unknown'
$instance = Get-DnssecStatusForVerifiedDomain -DomainName $DomainName -ErrorAction SilentlyContinue
if ('Unknown' -eq $instance.DnssecFeatureStatus.ToString())
{
return $nullResult
}3. The centralized Test-M365DSCTargetResource function contains unprotected calls to individual resource Get-TargetResource functions, causing systemic false drift detection across all resources that utilize this shared function (related to #6677).
General Principle: Any errors (such as New-M365DSCConnection connection failures) must throw a non-terminating error, must not log drift, and must not execute Set operations.
Microsoft 365 DSC Version
1.25.1203.2
Which workloads are affected
Exchange Online
The DSC configuration
Verbose logs showing the problem
LCM execution log:
| TimeStamp | MessageBody |
|---|---|
| 2025-09-25 23:34:22.721 | [LCM-M365DSC]: LCM: [ Start Resource ] [[EXODnssecForVerifiedDomain]contoso.com] |
| 2025-09-25 23:34:22.721 | [LCM-M365DSC]: LCM: [ Start Test ] [[EXODnssecForVerifiedDomain]contoso.com] |
| 2025-09-25 23:34:22.721 | [LCM-M365DSC]: [[EXODnssecForVerifiedDomain]contoso.com] Getting configuration for DnssecForVerifiedDomain with DomainName contoso.com |
| 2025-09-25 23:34:43.021 | [LCM-M365DSC]: [[EXODnssecForVerifiedDomain]contoso.com] Current Values: ApplicationId=*** CertificateThumbprint=*** DnssecFeatureStatus=Unknown DomainName=contoso.com TenantId=*** Verbose=True |
| 2025-09-25 23:34:43.021 | [LCM-M365DSC]: [[EXODnssecForVerifiedDomain]contoso.com] Target Values: DnssecFeatureStatus=Disabled DomainName=contoso.com |
| 2025-09-25 23:34:44.053 | [LCM-M365DSC]: [[EXODnssecForVerifiedDomain]contoso.com] Test-TargetResource returned False |
| 2025-09-25 23:34:44.053 | [LCM-M365DSC]: LCM: [ End Test ] [[EXODnssecForVerifiedDomain]contoso.com] in 20.4400 seconds. |
| 2025-09-25 23:34:44.053 | [LCM-M365DSC]: LCM: [ Start Set ] [[EXODnssecForVerifiedDomain]contoso.com] |
| 2025-09-25 23:34:44.053 | [LCM-M365DSC]: [[EXODnssecForVerifiedDomain]contoso.com] Setting configuration for DnssecForVerifiedDomain with DomainName contoso.com |
| 2025-09-25 23:34:44.053 | [LCM-M365DSC]: [[EXODnssecForVerifiedDomain]contoso.com] Getting configuration for DnssecForVerifiedDomain with DomainName contoso.com |
| 2025-09-25 23:34:44.053 | [LCM-M365DSC]: LCM: [ End Set ] [[EXODnssecForVerifiedDomain]contoso.com] in 1.2500 seconds. |
Drift event payload:
<M365DSCEvent>
<ConfigurationDrift Source="MSFT_EXODnssecForVerifiedDomain" TenantId="contoso.onmicrosoft.com" LCMState="ConsistencyCheck">
<ParametersNotInDesiredState>
<Param Name="DnssecFeatureStatus">
<CurrentValue>Unknown</CurrentValue>
<DesiredValue>Disabled</DesiredValue>
</Param>
</ParametersNotInDesiredState>
</ConfigurationDrift>
<DesiredValues>
<Param Name ="DomainName">contoso.com</Param>
<Param Name ="DnssecFeatureStatus">Disabled</Param>
<!-- Truncated -->
</DesiredValues>
<CurrentValues>
<Param Name ="DomainName">contoso.com</Param>
<Param Name ="DnssecFeatureStatus">Unknown</Param>
<!-- Truncated -->
</CurrentValues>
</M365DSCEvent>