[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
simon at thekelleys.org.uk
Tue May 3 17:42:19 BST 2016
On 03/05/16 15:56, Uwe Schindler wrote:
> I have the feeling that 18.104.22.168 (my DNS server) has cached an
> old response with outdated key. Could this happen?
It shouldn't, but it could, mainly if paypal got something wrong (for
instance RRSIGS have times before which they're not valid and times
after which they're not valid. If your server has cached an RRSIG with a
long TTL so that it's returning an RRSIG that's out of time, that could
I run dnsmasq with DNSSEC enabled in production and keep logs. Every so
often I check the logs and look at the domains which failed DNSSEC. 95%
of the time, by the time I get to do the check, the queries complete
successfully. Transient errors seem to be a fact of life with DNSSEC.
> In general DNSSEC
> works perfectly fine, but just this domain fails for me. I was
> expecting that maybe PayPal updated to newest signature/encryption
> algorithms that are not yet supported by dnsmasq. But as it works for
> you, I think it must be something else.
> I will keep you informed if the problem still exists tomorrow. Is
> there a way to get more debug output *what* exactly has failed?
The result of the queries
dig @22.214.171.124 +cd +dnssec paypal.com
dig @126.96.36.199 rrsig paypal.com
would be interesting.
> ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de eMail: uwe at thetaphi.de
>> -----Original Message----- From: Dnsmasq-discuss
>> [mailto:dnsmasq-discuss- bounces at lists.thekelleys.org.uk] On Behalf
>> Of Simon Kelley Sent: Tuesday, May 03, 2016 4:04 PM To:
>> dnsmasq-discuss at lists.thekelleys.org.uk Subject: Re:
>> [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
>> I just tried it here, forwarding to 188.8.131.52 and 184.108.40.206 and it
>> paypal.com is signed and status SECURE www.paypal.com is INSECURE.
>> The server you're using (220.127.116.11) won't reply to DNS queries
>> for me, so I couldn't check that.
>> On 03/05/16 11:57, Uwe Schindler wrote:
>>> I just noticed that dnsmasq no longer resolves paypal.com and
>> subdomains correctly. Other DNSSEC secured domains (like my own)
>>> # dig paypal.com
>>> ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com ;; global
>>> options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,
>>> status: SERVFAIL, id: 51807 ;; flags: qr rd ra; QUERY: 1, ANSWER:
>>> 0, AUTHORITY: 0, ADDITIONAL: 1
>>> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
>>> QUESTION SECTION: ;paypal.com. IN A
>>> ;; Query time: 22 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;;
>>> WHEN: Tue May 03 12:49:13 CEST 2016 ;; MSG SIZE rcvd: 39
>>> If the query log is enabled, it shows:
>>> May 3 12:49:13 sirius dnsmasq: query[A] paypal.com from
>>> 127.0.0.1 May 3 12:49:13 sirius dnsmasq: forwarded
>>> paypal.com to
>>> May 3 12:49:13 sirius dnsmasq: dnssec-query[DS] paypal.com
>>> May 3 12:49:13 sirius dnsmasq: reply paypal.com is DS
>>> keytag 21037,
>> algo 5, digest 2
>>> May 3 12:49:13 sirius dnsmasq: validation paypal.com is
>>> BOGUS May 3 12:49:13 sirius dnsmasq: reply paypal.com is
>>> 18.104.22.168 May 3 12:49:13 sirius dnsmasq: reply
>>> paypal.com is 22.214.171.124
>>> I encountered the error for the first time with
>>> dnsmasq-2.76test8, but the
>> problem did not change after upgrading to dnsmasq-2.76test13.
>>> My config is:
>>> # dnssec conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
>>> dnssec dnssec-check-unsigned
>>> Verisign's checker says everything is OK with paypal.com.
>>> ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
>>> http://www.thetaphi.de eMail: uwe at thetaphi.de
>>> _______________________________________________ Dnsmasq-discuss
>>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
More information about the Dnsmasq-discuss