[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
Uwe Schindler
uwe at thetaphi.de
Tue May 3 11:57:43 BST 2016
I just noticed that dnsmasq no longer resolves paypal.com and ist subdomains correctly. Other DNSSEC secured domains (like my own) work.
# dig paypal.com
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51807
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;paypal.com. IN A
;; Query time: 22 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 03 12:49:13 CEST 2016
;; MSG SIZE rcvd: 39
If the query log is enabled, it shows:
May 3 12:49:13 sirius dnsmasq[3835]: query[A] paypal.com from 127.0.0.1
May 3 12:49:13 sirius dnsmasq[3835]: forwarded paypal.com to 212.202.215.1
May 3 12:49:13 sirius dnsmasq[3835]: dnssec-query[DS] paypal.com to 212.202.215.1
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is DS keytag 21037, algo 5, digest 2
May 3 12:49:13 sirius dnsmasq[3835]: validation paypal.com is BOGUS
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is 66.211.169.66
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is 66.211.169.3
I encountered the error for the first time with dnsmasq-2.76test8, but the problem did not change after upgrading to dnsmasq-2.76test13.
My config is:
# dnssec
conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec
dnssec-check-unsigned
Verisign's checker says everything is OK with paypal.com.
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe at thetaphi.de
More information about the Dnsmasq-discuss
mailing list