[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
Uwe Schindler
uwe at thetaphi.de
Tue May 3 21:50:26 BST 2016
Hi Simon,
It looks like the provider's DNS really has outdated data in cache - look at the TTLs - so it should be fine tomorrow:
thetaphi at sirius:~$ dig @212.202.215.1 rrsig paypal.com
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @212.202.215.1 rrsig paypal.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30623
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;paypal.com. IN RRSIG
;; ANSWER SECTION:
paypal.com. 48496 IN RRSIG DS 8 2 86400 20160510041550 20160503030550 34745 com. s3zvdSp0slicIVJlfv8Sn9SSuVf/Bm
/98F9waWkNwGouczKhJSpFjdso DmVzQF7Ak4vIRZ5KfaKE4c5WyZYGJd0SF1nYXAFhpnJKtRu70JWjoktm cO6hobbykndsh0GIKsRA3xZ2sn0Oc72/0q0JtzHI5xeIXeMD
e1ZI3zv+ sJY=
;; Query time: 12 msec
;; SERVER: 212.202.215.1#53(212.202.215.1)
;; WHEN: Tue May 03 22:46:09 CEST 2016
;; MSG SIZE rcvd: 202
thetaphi at sirius:~$ dig @8.8.8.8 rrsig paypal.com
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @8.8.8.8 rrsig paypal.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8497
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;paypal.com. IN RRSIG
;; ANSWER SECTION:
paypal.com. 3599 IN RRSIG SOA 5 2 3600 20160602174036 20160503164036 11811 paypal.com. dzYkv7I/DjMR0YRmpjql1g5
r9Zsi9bAzRsm6Wlq/9WIxKn3eokdcs8jN LtfXmChnQ6CIitzsOXZj0pvMHiq8Ah3QX3yBrqec79wELScwXl2G++5v 0940s6+JasAFnKCHRPP5KHn1csNlphflXkinG+Iok
mYoyskwwCOCaADA NyM=
paypal.com. 299 IN RRSIG NS 5 2 300 20160515070943 20160415062816 11811 paypal.com. wqK0n6fI2hSu9oteS0TLeZMqY
80KOsun/UGDCMx+pCqIYiGQtvuqntwb pIBevESXYk3LLGbqWdPTSE+bkmJmsgy9JpcocLbhvyo6XWlx0F/WnC2G tWFEJ8h69hy/sIWthKfPk3LWkWe+1eitQt3wKpNSYjS
hepqlfmyRPZfx 9/s=
paypal.com. 299 IN RRSIG A 5 2 300 20160531230346 20160501221243 11811 paypal.com. EKbwsch90FNP5Yl9gkZbfbhQKF
gokzm2O0QH/1cQ6RXtxr7pwsb+9wqH PcFxfw4IzBum5sAdmVFT1mHR7ZQWHLfIiPCpKhXXwWm/VDhcuQ2dTs9m mvc9cP7dige2a31e+gQdDCsWSr9NrXuGt4qSBgYACGtr
CCLKyKw2j/cv Y5g=
paypal.com. 3599 IN RRSIG MX 5 2 3600 20160531040805 20160501035950 11811 paypal.com. aAv3qokZSJmKumTNGaOs9V/z
d58/o8XHyIPrKQvNWul/JGxyoo43Fdjh 0vV0YlD/vhtkWgZxH/6+Z/te0ZvRnnk/uGVbt4HH9MYSVR2QDikSNfCm 04oKSthHN/joi7pjxuzbyklZOmuFjhcJPLpgXiKbAC
vRnZwfcWJwwOuA DT8=
paypal.com. 299 IN RRSIG TXT 5 2 300 20160516071400 20160416070722 11811 paypal.com. sDw3CY6FnMrue5rF4rLlLnbA
U1/y0ybiHtZOtTwZ/qR9EvmWkI/lVwUG +gNoepkBub98OemTz+DTN4qslZwj79cSEyP1YFWWInylS1+2r22E2HrB vNpUmNwrW5kl/Tms8hats8uAXwu0UwD2GjyNcrq78I
gaDHnGqQA0zacp lW4=
paypal.com. 59 IN RRSIG NSEC 5 2 60 20160527190908 20160427184249 11811 paypal.com. I1AR8lkCcXdNAsjTUmxWPSj5
XRUCC+rcJ0DWKoSGxR6EHKOfKhDpmeBY MonF4NWn2nIHIRO712NsWg7BxH9SVfmBEXzDLlrunuGAI1gZZmkL1Yo0 2uFQo/l6oACeG13iE9Cnsku7hnPxaOP05TNrA5ipgH
4Mq0VkDXSjFZ9k g20=
paypal.com. 599 IN RRSIG DNSKEY 5 2 600 20160525214249 20160425205549 11811 paypal.com. gXurHNSMnEJHnlOg/VT+J
NFIr5qT9wsaNh8wnp4OUUWCfUhmHoPJfDPB GCdRjN+4vF6HtXNXLfjLGcDqMMfFlIGsrVwMqR1UWf+ctV2zXfHVNRKz 9sgeai2Gwx4gxtEUDJj7j4+eDW8c3fg/QwJWHK1
bMciOC8JRmFXdDfwg xlw=
paypal.com. 599 IN RRSIG DNSKEY 5 2 600 20160525214249 20160425205549 21037 paypal.com. DIuMSuB4N6+VWeItBGwpe
9lf9o0wdtACVk86/X4EXcB8ULx4BytTS4Qr SiY5D+KgJX48X/f6YLzJ30j0HgCzl8JHQEaznh/mW23YvCA3g6UUSzDd /lDHEC7pn1sAUI1HQuHDAB5dfAvWS5fPdCjNBUu
lAQztZ65QDcqvSxlC 5T+GPIrHi2mG/UfspgvfOc+kVU+HLivXKJhTlT2j+w2ZPrUk1vrIS/5v oVQyNiNVyU2pTGTT+bng1QTzVN6LQaYA45aqH1CCZ7e64YkuYg+47+sy
Zcg5CK7dnglt8KQmQrgGpEpuFvjJ2S+9GcJ3tDOWMl60zf9FpPmmqJ8I 53BYFg==
;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 03 22:46:41 CEST 2016
;; MSG SIZE rcvd: 1527
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe at thetaphi.de
> -----Original Message-----
> From: Simon Kelley [mailto:simon at thekelleys.org.uk]
> Sent: Tuesday, May 03, 2016 6:42 PM
> To: Uwe Schindler <uwe at thetaphi.de>; dnsmasq-
> discuss at lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no
> longer work
>
> On 03/05/16 15:56, Uwe Schindler wrote:
> > Hi,
> >
> > I have the feeling that 212.202.215.1 (my DNS server) has cached an
> > old response with outdated key. Could this happen?
>
> It shouldn't, but it could, mainly if paypal got something wrong (for
> instance RRSIGS have times before which they're not valid and times
> after which they're not valid. If your server has cached an RRSIG with a
> long TTL so that it's returning an RRSIG that's out of time, that could
> explain this.)
>
>
> I run dnsmasq with DNSSEC enabled in production and keep logs. Every so
> often I check the logs and look at the domains which failed DNSSEC. 95%
> of the time, by the time I get to do the check, the queries complete
> successfully. Transient errors seem to be a fact of life with DNSSEC.
>
> > In general DNSSEC
> > works perfectly fine, but just this domain fails for me. I was
> > expecting that maybe PayPal updated to newest signature/encryption
> > algorithms that are not yet supported by dnsmasq. But as it works for
> > you, I think it must be something else.
> >
> > I will keep you informed if the problem still exists tomorrow. Is
> > there a way to get more debug output *what* exactly has failed?
>
> The result of the queries
>
>
> dig @212.202.215.1 +cd +dnssec paypal.com
> dig @212.202.215.1 rrsig paypal.com
>
> would be interesting.
>
> Cheers,
>
> Simon.
>
> >
> > Uwe
> >
> > ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de eMail: uwe at thetaphi.de
> >
> >> -----Original Message----- From: Dnsmasq-discuss
> >> [mailto:dnsmasq-discuss- bounces at lists.thekelleys.org.uk] On Behalf
> >> Of Simon Kelley Sent: Tuesday, May 03, 2016 4:04 PM To:
> >> dnsmasq-discuss at lists.thekelleys.org.uk Subject: Re:
> >> [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
> >>
> >>
> >> I just tried it here, forwarding to 8.8.8.8 and 8.8.4.4 and it
> >> works.
> >>
> >> paypal.com is signed and status SECURE www.paypal.com is INSECURE.
> >>
> >>
> >> The server you're using (212.202.215.1) won't reply to DNS queries
> >> for me, so I couldn't check that.
> >>
> >>
> >> Cheers,
> >>
> >> Simon.
> >>
> >>
> >> On 03/05/16 11:57, Uwe Schindler wrote:
> >>> I just noticed that dnsmasq no longer resolves paypal.com and
> >>> ist
> >> subdomains correctly. Other DNSSEC secured domains (like my own)
> >> work.
> >>>
> >>> # dig paypal.com
> >>>
> >>> ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com ;; global
> >>> options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,
> >>> status: SERVFAIL, id: 51807 ;; flags: qr rd ra; QUERY: 1, ANSWER:
> >>> 0, AUTHORITY: 0, ADDITIONAL: 1
> >>>
> >>> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
> >>> QUESTION SECTION: ;paypal.com. IN A
> >>>
> >>> ;; Query time: 22 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;;
> >>> WHEN: Tue May 03 12:49:13 CEST 2016 ;; MSG SIZE rcvd: 39
> >>>
> >>> If the query log is enabled, it shows:
> >>>
> >>> May 3 12:49:13 sirius dnsmasq[3835]: query[A] paypal.com from
> >>> 127.0.0.1 May 3 12:49:13 sirius dnsmasq[3835]: forwarded
> >>> paypal.com to
> >> 212.202.215.1
> >>> May 3 12:49:13 sirius dnsmasq[3835]: dnssec-query[DS] paypal.com
> >>> to
> >> 212.202.215.1
> >>> May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is DS
> >>> keytag 21037,
> >> algo 5, digest 2
> >>> May 3 12:49:13 sirius dnsmasq[3835]: validation paypal.com is
> >>> BOGUS May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is
> >>> 66.211.169.66 May 3 12:49:13 sirius dnsmasq[3835]: reply
> >>> paypal.com is 66.211.169.3
> >>>
> >>> I encountered the error for the first time with
> >>> dnsmasq-2.76test8, but the
> >> problem did not change after upgrading to dnsmasq-2.76test13.
> >>>
> >>> My config is:
> >>>
> >>> # dnssec conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
> >>> dnssec dnssec-check-unsigned
> >>>
> >>> Verisign's checker says everything is OK with paypal.com.
> >>>
> >>> Uwe
> >>>
> >>> ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
> >>> http://www.thetaphi.de eMail: uwe at thetaphi.de
> >>>
> >>>
> >>>
> >>> _______________________________________________ Dnsmasq-
> discuss
> >>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>
> >>
> >
> >
> >
More information about the Dnsmasq-discuss
mailing list