[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work

Simon Kelley simon at thekelleys.org.uk
Tue May 3 23:01:35 BST 2016 

That's the same RRSIG for the DS record that Google is giving, and it
looks fine. This may be a confusion in the upstream server between auth
zones. DS records (and the RRSIG for them) come from the _parent_ zone,
ie .com.


The answer that 8.8.8.8 gives all the RRSIGS for all the records in the
child zone, A, AAAA, TXT etc, and _not_ DS.


What do you get for

dig @212.202.215.1 +dnssec paypal.com

That should include the RRSIG for the A record, if it doesn't then
212.202.215.1 is confused about the parent/child source for RRSIGS and
that's the source of the problem.


Cheers,

Simon




 On 03/05/16 21:50, Uwe Schindler wrote:
> Hi Simon,
> 
> It looks like the provider's DNS really has outdated data in cache - look at the TTLs - so it should be fine tomorrow:
> 
> thetaphi at sirius:~$ dig @212.202.215.1 rrsig  paypal.com
> 
> ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @212.202.215.1 rrsig paypal.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30623
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;paypal.com.                    IN      RRSIG
> 
> ;; ANSWER SECTION:
> paypal.com.             48496   IN      RRSIG   DS 8 2 86400 20160510041550 20160503030550 34745 com. s3zvdSp0slicIVJlfv8Sn9SSuVf/Bm
> /98F9waWkNwGouczKhJSpFjdso DmVzQF7Ak4vIRZ5KfaKE4c5WyZYGJd0SF1nYXAFhpnJKtRu70JWjoktm cO6hobbykndsh0GIKsRA3xZ2sn0Oc72/0q0JtzHI5xeIXeMD
> e1ZI3zv+ sJY=
> 
> ;; Query time: 12 msec
> ;; SERVER: 212.202.215.1#53(212.202.215.1)
> ;; WHEN: Tue May 03 22:46:09 CEST 2016
> ;; MSG SIZE  rcvd: 202
> 
> thetaphi at sirius:~$ dig @8.8.8.8 rrsig  paypal.com
> 
> ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @8.8.8.8 rrsig paypal.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8497
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;paypal.com.                    IN      RRSIG
> 
> ;; ANSWER SECTION:
> paypal.com.             3599    IN      RRSIG   SOA 5 2 3600 20160602174036 20160503164036 11811 paypal.com. dzYkv7I/DjMR0YRmpjql1g5
> r9Zsi9bAzRsm6Wlq/9WIxKn3eokdcs8jN LtfXmChnQ6CIitzsOXZj0pvMHiq8Ah3QX3yBrqec79wELScwXl2G++5v 0940s6+JasAFnKCHRPP5KHn1csNlphflXkinG+Iok
> mYoyskwwCOCaADA NyM=
> paypal.com.             299     IN      RRSIG   NS 5 2 300 20160515070943 20160415062816 11811 paypal.com. wqK0n6fI2hSu9oteS0TLeZMqY
> 80KOsun/UGDCMx+pCqIYiGQtvuqntwb pIBevESXYk3LLGbqWdPTSE+bkmJmsgy9JpcocLbhvyo6XWlx0F/WnC2G tWFEJ8h69hy/sIWthKfPk3LWkWe+1eitQt3wKpNSYjS
> hepqlfmyRPZfx 9/s=
> paypal.com.             299     IN      RRSIG   A 5 2 300 20160531230346 20160501221243 11811 paypal.com. EKbwsch90FNP5Yl9gkZbfbhQKF
> gokzm2O0QH/1cQ6RXtxr7pwsb+9wqH PcFxfw4IzBum5sAdmVFT1mHR7ZQWHLfIiPCpKhXXwWm/VDhcuQ2dTs9m mvc9cP7dige2a31e+gQdDCsWSr9NrXuGt4qSBgYACGtr
> CCLKyKw2j/cv Y5g=
> paypal.com.             3599    IN      RRSIG   MX 5 2 3600 20160531040805 20160501035950 11811 paypal.com. aAv3qokZSJmKumTNGaOs9V/z
> d58/o8XHyIPrKQvNWul/JGxyoo43Fdjh 0vV0YlD/vhtkWgZxH/6+Z/te0ZvRnnk/uGVbt4HH9MYSVR2QDikSNfCm 04oKSthHN/joi7pjxuzbyklZOmuFjhcJPLpgXiKbAC
> vRnZwfcWJwwOuA DT8=
> paypal.com.             299     IN      RRSIG   TXT 5 2 300 20160516071400 20160416070722 11811 paypal.com. sDw3CY6FnMrue5rF4rLlLnbA
> U1/y0ybiHtZOtTwZ/qR9EvmWkI/lVwUG +gNoepkBub98OemTz+DTN4qslZwj79cSEyP1YFWWInylS1+2r22E2HrB vNpUmNwrW5kl/Tms8hats8uAXwu0UwD2GjyNcrq78I
> gaDHnGqQA0zacp lW4=
> paypal.com.             59      IN      RRSIG   NSEC 5 2 60 20160527190908 20160427184249 11811 paypal.com. I1AR8lkCcXdNAsjTUmxWPSj5
> XRUCC+rcJ0DWKoSGxR6EHKOfKhDpmeBY MonF4NWn2nIHIRO712NsWg7BxH9SVfmBEXzDLlrunuGAI1gZZmkL1Yo0 2uFQo/l6oACeG13iE9Cnsku7hnPxaOP05TNrA5ipgH
> 4Mq0VkDXSjFZ9k g20=
> paypal.com.             599     IN      RRSIG   DNSKEY 5 2 600 20160525214249 20160425205549 11811 paypal.com. gXurHNSMnEJHnlOg/VT+J
> NFIr5qT9wsaNh8wnp4OUUWCfUhmHoPJfDPB GCdRjN+4vF6HtXNXLfjLGcDqMMfFlIGsrVwMqR1UWf+ctV2zXfHVNRKz 9sgeai2Gwx4gxtEUDJj7j4+eDW8c3fg/QwJWHK1
> bMciOC8JRmFXdDfwg xlw=
> paypal.com.             599     IN      RRSIG   DNSKEY 5 2 600 20160525214249 20160425205549 21037 paypal.com. DIuMSuB4N6+VWeItBGwpe
> 9lf9o0wdtACVk86/X4EXcB8ULx4BytTS4Qr SiY5D+KgJX48X/f6YLzJ30j0HgCzl8JHQEaznh/mW23YvCA3g6UUSzDd /lDHEC7pn1sAUI1HQuHDAB5dfAvWS5fPdCjNBUu
> lAQztZ65QDcqvSxlC 5T+GPIrHi2mG/UfspgvfOc+kVU+HLivXKJhTlT2j+w2ZPrUk1vrIS/5v oVQyNiNVyU2pTGTT+bng1QTzVN6LQaYA45aqH1CCZ7e64YkuYg+47+sy
> Zcg5CK7dnglt8KQmQrgGpEpuFvjJ2S+9GcJ3tDOWMl60zf9FpPmmqJ8I 53BYFg==
> 
> ;; Query time: 46 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Tue May 03 22:46:41 CEST 2016
> ;; MSG SIZE  rcvd: 1527
> 
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe at thetaphi.de
> 
>> -----Original Message-----
>> From: Simon Kelley [mailto:simon at thekelleys.org.uk]
>> Sent: Tuesday, May 03, 2016 6:42 PM
>> To: Uwe Schindler <uwe at thetaphi.de>; dnsmasq-
>> discuss at lists.thekelleys.org.uk
>> Subject: Re: [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no
>> longer work
>>
>> On 03/05/16 15:56, Uwe Schindler wrote:
>>> Hi,
>>>
>>> I have the feeling that 212.202.215.1 (my DNS server) has cached an
>>> old response with outdated key. Could this happen?
>>
>> It shouldn't, but it could, mainly if paypal got something wrong (for
>> instance RRSIGS have times before which they're not valid and times
>> after which they're not valid. If your server has cached an RRSIG with a
>> long TTL so that it's returning an RRSIG that's out of time, that could
>> explain this.)
>>
>>
>> I run dnsmasq with DNSSEC enabled in production and keep logs. Every so
>> often I check the logs and look at the domains which failed DNSSEC. 95%
>> of the time, by the time I get to do the check, the queries complete
>> successfully. Transient errors seem to be a fact of life with DNSSEC.
>>
>>> In general DNSSEC
>>> works perfectly fine, but just this domain fails for me. I was
>>> expecting that maybe PayPal updated to newest signature/encryption
>>> algorithms that are not yet supported by dnsmasq. But as it works for
>>> you, I think it must be something else.
>>>
>>> I will keep you informed if the problem still exists tomorrow. Is
>>> there a way to get more debug output *what* exactly has failed?
>>
>> The result of the queries
>>
>>
>>  dig @212.202.215.1 +cd  +dnssec  paypal.com
>>  dig @212.202.215.1 rrsig  paypal.com
>>
>> would be interesting.
>>
>> Cheers,
>>
>> Simon.
>>
>>>
>>> Uwe
>>>
>>> ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
>>> http://www.thetaphi.de eMail: uwe at thetaphi.de
>>>
>>>> -----Original Message----- From: Dnsmasq-discuss
>>>> [mailto:dnsmasq-discuss- bounces at lists.thekelleys.org.uk] On Behalf
>>>> Of Simon Kelley Sent: Tuesday, May 03, 2016 4:04 PM To:
>>>> dnsmasq-discuss at lists.thekelleys.org.uk Subject: Re:
>>>> [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
>>>>
>>>>
>>>> I just tried it here, forwarding to 8.8.8.8 and 8.8.4.4 and it
>>>> works.
>>>>
>>>> paypal.com is signed and status SECURE www.paypal.com is INSECURE.
>>>>
>>>>
>>>> The server you're using (212.202.215.1) won't reply to DNS queries
>>>> for me, so I couldn't check that.
>>>>
>>>>
>>>> Cheers,
>>>>
>>>> Simon.
>>>>
>>>>
>>>> On 03/05/16 11:57, Uwe Schindler wrote:
>>>>> I just noticed that dnsmasq no longer resolves paypal.com and
>>>>> ist
>>>> subdomains correctly. Other DNSSEC secured domains (like my own)
>>>> work.
>>>>>
>>>>> # dig paypal.com
>>>>>
>>>>> ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com ;; global
>>>>> options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,
>>>>> status: SERVFAIL, id: 51807 ;; flags: qr rd ra; QUERY: 1, ANSWER:
>>>>> 0, AUTHORITY: 0, ADDITIONAL: 1
>>>>>
>>>>> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
>>>>> QUESTION SECTION: ;paypal.com.                    IN      A
>>>>>
>>>>> ;; Query time: 22 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;;
>>>>> WHEN: Tue May 03 12:49:13 CEST 2016 ;; MSG SIZE  rcvd: 39
>>>>>
>>>>> If the query log is enabled, it shows:
>>>>>
>>>>> May  3 12:49:13 sirius dnsmasq[3835]: query[A] paypal.com from
>>>>> 127.0.0.1 May  3 12:49:13 sirius dnsmasq[3835]: forwarded
>>>>> paypal.com to
>>>> 212.202.215.1
>>>>> May  3 12:49:13 sirius dnsmasq[3835]: dnssec-query[DS] paypal.com
>>>>> to
>>>> 212.202.215.1
>>>>> May  3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is DS
>>>>> keytag 21037,
>>>> algo 5, digest 2
>>>>> May  3 12:49:13 sirius dnsmasq[3835]: validation paypal.com is
>>>>> BOGUS May  3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is
>>>>> 66.211.169.66 May  3 12:49:13 sirius dnsmasq[3835]: reply
>>>>> paypal.com is 66.211.169.3
>>>>>
>>>>> I encountered the error for the first time with
>>>>> dnsmasq-2.76test8, but the
>>>> problem did not change after upgrading to dnsmasq-2.76test13.
>>>>>
>>>>> My config is:
>>>>>
>>>>> # dnssec conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
>>>>> dnssec dnssec-check-unsigned
>>>>>
>>>>> Verisign's checker says everything is OK with paypal.com.
>>>>>
>>>>> Uwe
>>>>>
>>>>> ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
>>>>> http://www.thetaphi.de eMail: uwe at thetaphi.de
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________ Dnsmasq-
>> discuss
>>>>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>
>>>>
>>>
>>>
>>>
> 
>

More information about the Dnsmasq-discuss mailing list