[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work

Uwe Schindler uwe at thetaphi.de
Tue May 3 15:56:31 BST 2016


Hi,

I have the feeling that 212.202.215.1 (my DNS server) has cached an old response with outdated key. Could this happen? In general DNSSEC works perfectly fine, but just this domain fails for me. I was expecting that maybe PayPal updated to newest signature/encryption algorithms that are not yet supported by dnsmasq. But as it works for you, I think it must be something else.

I will keep you informed if the problem still exists tomorrow. Is there a way to get more debug output *what* exactly has failed?

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe at thetaphi.de

> -----Original Message-----
> From: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> bounces at lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Tuesday, May 03, 2016 4:04 PM
> To: dnsmasq-discuss at lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no
> longer work
> 
> 
> I just tried it here, forwarding to 8.8.8.8 and 8.8.4.4 and it works.
> 
> paypal.com is signed and status SECURE
> www.paypal.com is INSECURE.
> 
> 
> The server you're using (212.202.215.1) won't reply to DNS queries for
> me, so I couldn't check that.
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> On 03/05/16 11:57, Uwe Schindler wrote:
> > I just noticed that dnsmasq no longer resolves paypal.com and ist
> subdomains correctly. Other DNSSEC secured domains (like my own) work.
> >
> > # dig paypal.com
> >
> > ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51807
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ;; QUESTION SECTION:
> > ;paypal.com.                    IN      A
> >
> > ;; Query time: 22 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Tue May 03 12:49:13 CEST 2016
> > ;; MSG SIZE  rcvd: 39
> >
> > If the query log is enabled, it shows:
> >
> > May  3 12:49:13 sirius dnsmasq[3835]: query[A] paypal.com from 127.0.0.1
> > May  3 12:49:13 sirius dnsmasq[3835]: forwarded paypal.com to
> 212.202.215.1
> > May  3 12:49:13 sirius dnsmasq[3835]: dnssec-query[DS] paypal.com to
> 212.202.215.1
> > May  3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is DS keytag 21037,
> algo 5, digest 2
> > May  3 12:49:13 sirius dnsmasq[3835]: validation paypal.com is BOGUS
> > May  3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is 66.211.169.66
> > May  3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is 66.211.169.3
> >
> > I encountered the error for the first time with dnsmasq-2.76test8, but the
> problem did not change after upgrading to dnsmasq-2.76test13.
> >
> > My config is:
> >
> > # dnssec
> > conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
> > dnssec
> > dnssec-check-unsigned
> >
> > Verisign's checker says everything is OK with paypal.com.
> >
> > Uwe
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe at thetaphi.de
> >
> >
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> 





More information about the Dnsmasq-discuss mailing list