[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work

/dev/rob0 rob0 at gmx.co.uk
Sat May 14 20:51:50 BST 2016 

On Sat, May 14, 2016 at 08:55:58PM +0200, Uwe Schindler wrote:
> > > Well, that's the smoking gun. Dnsmasq is doing the right thing, 
> > > and your upstream server at 212.202.215.1 is broken. I realise 
> > > that doesn't solve the problem, but at least you know where to 
> > > work now :)
> > >
> > > (the reason dnsmasq is returning SERVFAIL is that there's a 
> > > chain-of-trust from the root that says paypal.com is signed,
> > > If the answer to the paypal.com query isn't signed, it may be
> > > a false answer, so it can't be trusted.)
> > 
> > Of course this is the right thing to do!
> > 
> > I will contact the upstream provider and ask them to fix this!
> > 
> > Interestingly, two of their three IPv4 DNS servers have the 
> > problem. The 3rd one and all three IPv6 DNS servers are working 
> > fine. This explains why it sometimes worked.
> > 
> > Maybe a good idea is: If a DNSSEC query fails and DNSMASQ knows 
> > more servers, retry on others, too?
> 
> What do you think about this proposal?

Hmm.

I think the story illustrates the importance of controlling your own 
upstream resolver, or at least of using one you know you can trust.

I think there are two main reasons why signatures are broken:
  1. Domain manager had an error in signing and/or keys
     (usually a software problem with signing)
  2. DNS hijacking (not necessarily of malicious intent)

Sometimes people get started validating DNSSEC and lose their will
to be doing so after a SERVFAIL or two.  Those folks are better off 
disabling validation.  But you're not necessarily among them, it 
seems; you're just getting occasionally broken replies from the 
upstream server.

The problem I have with your idea is that you don't really have an 
automated means to determine the problem upstream.  You simply cannot 
rely on a broken upstream server if you're going to validate.  So you 
fall back on 8.8.8.8 for any DNSSEC failure ... but wouldn't you be 
better off just using 8.8.8.8 and dumping the broken one?

I've said before what I do ... I have *both* dnsmasq and named 
running; dnsmasq on port 53 and named on 127.0.0.1:1035.  The named 
is doing recursion only.  Yes, I'm hard core. :)
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the Dnsmasq-discuss mailing list