[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
uwe at thetaphi.de
Tue May 3 15:56:31 BST 2016
I have the feeling that 184.108.40.206 (my DNS server) has cached an old response with outdated key. Could this happen? In general DNSSEC works perfectly fine, but just this domain fails for me. I was expecting that maybe PayPal updated to newest signature/encryption algorithms that are not yet supported by dnsmasq. But as it works for you, I think it must be something else.
I will keep you informed if the problem still exists tomorrow. Is there a way to get more debug output *what* exactly has failed?
H.-H.-Meier-Allee 63, D-28213 Bremen
eMail: uwe at thetaphi.de
> -----Original Message-----
> From: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> bounces at lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Tuesday, May 03, 2016 4:04 PM
> To: dnsmasq-discuss at lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no
> longer work
> I just tried it here, forwarding to 220.127.116.11 and 18.104.22.168 and it works.
> paypal.com is signed and status SECURE
> www.paypal.com is INSECURE.
> The server you're using (22.214.171.124) won't reply to DNS queries for
> me, so I couldn't check that.
> On 03/05/16 11:57, Uwe Schindler wrote:
> > I just noticed that dnsmasq no longer resolves paypal.com and ist
> subdomains correctly. Other DNSSEC secured domains (like my own) work.
> > # dig paypal.com
> > ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51807
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ;; QUESTION SECTION:
> > ;paypal.com. IN A
> > ;; Query time: 22 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Tue May 03 12:49:13 CEST 2016
> > ;; MSG SIZE rcvd: 39
> > If the query log is enabled, it shows:
> > May 3 12:49:13 sirius dnsmasq: query[A] paypal.com from 127.0.0.1
> > May 3 12:49:13 sirius dnsmasq: forwarded paypal.com to
> > May 3 12:49:13 sirius dnsmasq: dnssec-query[DS] paypal.com to
> > May 3 12:49:13 sirius dnsmasq: reply paypal.com is DS keytag 21037,
> algo 5, digest 2
> > May 3 12:49:13 sirius dnsmasq: validation paypal.com is BOGUS
> > May 3 12:49:13 sirius dnsmasq: reply paypal.com is 126.96.36.199
> > May 3 12:49:13 sirius dnsmasq: reply paypal.com is 188.8.131.52
> > I encountered the error for the first time with dnsmasq-2.76test8, but the
> problem did not change after upgrading to dnsmasq-2.76test13.
> > My config is:
> > # dnssec
> > conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
> > dnssec
> > dnssec-check-unsigned
> > Verisign's checker says everything is OK with paypal.com.
> > Uwe
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe at thetaphi.de
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
More information about the Dnsmasq-discuss