[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
Simon Kelley
simon at thekelleys.org.uk
Wed May 4 21:25:17 BST 2016
On 04/05/16 07:29, Uwe Schindler wrote:
>> What do you get for
>>
>> dig @212.202.215.1 +dnssec paypal.com
>>
>> That should include the RRSIG for the A record, if it doesn't then
>> 212.202.215.1 is confused about the parent/child source for RRSIGS and
>> that's the source of the problem.
>
> It is not included - you are right. The question is: what's wrong with the upstream server? (but this is nothing for discussion here).
>
> Anyways, paypal.com still does not resolve with dnsmasq.
>
> thetaphi at sirius:~$ dig @212.202.215.1 +dnssec paypal.com
>
> ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @212.202.215.1 +dnssec paypal.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24082
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;paypal.com. IN A
>
> ;; ANSWER SECTION:
> paypal.com. 151 IN A 66.211.169.66
> paypal.com. 151 IN A 66.211.169.3
>
> ;; Query time: 11 msec
> ;; SERVER: 212.202.215.1#53(212.202.215.1)
> ;; WHEN: Wed May 04 08:15:17 CEST 2016
> ;; MSG SIZE rcvd: 71
>
Well, that's the smoking gun. Dnsmasq is doing the right thing, and your
upstream server at 212.202.215.1 is broken. I realise that doesn't solve
the problem, but at least you know where to work now :)
(the reason dnsmasq is returning SERVFAIL is that there's a
chain-of-trust from the root that says paypal.com is signed, If the
answer to the paypal.com query isn't signed, it may be a false answer,
so it can't be trusted.)
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list