[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work

Simon Kelley simon at thekelleys.org.uk
Tue May 3 15:04:21 BST 2016


I just tried it here, forwarding to 8.8.8.8 and 8.8.4.4 and it works.

paypal.com is signed and status SECURE
www.paypal.com is INSECURE.


The server you're using (212.202.215.1) won't reply to DNS queries for
me, so I couldn't check that.


Cheers,

Simon.


On 03/05/16 11:57, Uwe Schindler wrote:
> I just noticed that dnsmasq no longer resolves paypal.com and ist subdomains correctly. Other DNSSEC secured domains (like my own) work.
> 
> # dig paypal.com
> 
> ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51807
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;paypal.com.                    IN      A
> 
> ;; Query time: 22 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue May 03 12:49:13 CEST 2016
> ;; MSG SIZE  rcvd: 39
> 
> If the query log is enabled, it shows:
> 
> May  3 12:49:13 sirius dnsmasq[3835]: query[A] paypal.com from 127.0.0.1
> May  3 12:49:13 sirius dnsmasq[3835]: forwarded paypal.com to 212.202.215.1
> May  3 12:49:13 sirius dnsmasq[3835]: dnssec-query[DS] paypal.com to 212.202.215.1
> May  3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is DS keytag 21037, algo 5, digest 2
> May  3 12:49:13 sirius dnsmasq[3835]: validation paypal.com is BOGUS
> May  3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is 66.211.169.66
> May  3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is 66.211.169.3
> 
> I encountered the error for the first time with dnsmasq-2.76test8, but the problem did not change after upgrading to dnsmasq-2.76test13.
> 
> My config is:
> 
> # dnssec
> conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
> dnssec
> dnssec-check-unsigned
> 
> Verisign's checker says everything is OK with paypal.com.
> 
> Uwe
> 
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe at thetaphi.de
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160503/02e921b7/attachment.sig>


More information about the Dnsmasq-discuss mailing list