[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work

Uwe Schindler uwe at thetaphi.de
Wed May 4 07:29:03 BST 2016


Hi,

> That's the same RRSIG for the DS record that Google is giving, and it
> looks fine. This may be a confusion in the upstream server between auth
> zones. DS records (and the RRSIG for them) come from the _parent_ zone,
> ie .com.
> 
> 
> The answer that 8.8.8.8 gives all the RRSIGS for all the records in the
> child zone, A, AAAA, TXT etc, and _not_ DS.
> 
> 
> What do you get for
> 
> dig @212.202.215.1 +dnssec paypal.com
> 
> That should include the RRSIG for the A record, if it doesn't then
> 212.202.215.1 is confused about the parent/child source for RRSIGS and
> that's the source of the problem.

It is not included - you are right. The question is: what's wrong with the upstream server? (but this is nothing for discussion here).

Anyways, paypal.com still does not resolve with dnsmasq. 

thetaphi at sirius:~$ dig @212.202.215.1 +dnssec paypal.com

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @212.202.215.1 +dnssec paypal.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24082
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;paypal.com.                    IN      A

;; ANSWER SECTION:
paypal.com.             151     IN      A       66.211.169.66
paypal.com.             151     IN      A       66.211.169.3

;; Query time: 11 msec
;; SERVER: 212.202.215.1#53(212.202.215.1)
;; WHEN: Wed May 04 08:15:17 CEST 2016
;; MSG SIZE  rcvd: 71

thetaphi at sirius:~$ dig @8.8.8.8 +dnssec paypal.com
[...]

;; ANSWER SECTION:
paypal.com.             219     IN      A       66.211.169.3
paypal.com.             219     IN      A       66.211.169.66
paypal.com.             219     IN      RRSIG   A 5 2 300 20160531230346 20160501221243 11811 paypal.com. EKbwsch90FNP5Yl9gkZbfbhQKF
gokzm2O0QH/1cQ6RXtxr7pwsb+9wqH PcFxfw4IzBum5sAdmVFT1mHR7ZQWHLfIiPCpKhXXwWm/VDhcuQ2dTs9m mvc9cP7dige2a31e+gQdDCsWSr9NrXuGt4qSBgYACGtr
CCLKyKw2j/cv Y5g=




For comparison I also added the output of my own domain, which resolves perfectly and gives valid results:

thetaphi at sirius:~$ dig @212.202.215.1 +dnssec thetaphi.de
[...]

;; ANSWER SECTION:
thetaphi.de.            28800   IN      A       51.254.41.57
thetaphi.de.            28800   IN      RRSIG   A 7 2 28800 20160516023037 20160502061203 22788 thetaphi.de. PKbB5xz7BcyMVGzsGHv4syI
0YCjF/NARnFuEx81CFKbTX+Ecvm+52P84 kJp8lai9TMaeJSzx7nTopQCVcoysTqPJubghWHioiQR5u0gzMnMEpyXX NG2M3LpDsDsLBHFfbs9k+GbtRIQphBdcCFxBSHVPH
ak1gTJ5tIkSUxgw Vk4=


Or another one with .com:

thetaphi at sirius:~$ dig @212.202.215.1 +dnssec sd-datasolutions.com
[...]

;; ANSWER SECTION:
sd-datasolutions.com.   28800   IN      A       51.254.41.57
sd-datasolutions.com.   28800   IN      RRSIG   A 7 2 28800 20160513035334 20160429072527 62085 sd-datasolutions.com. QcHrH/LP1EiTxX
qwiD4KA6tBF2EUSBlMxNu8IPvPu1DldqjdfVMwOHqb lUQbAUoNhzt/YyYPUHo/0lIAwUJnmEVBek+PyjJwsKUA2ekZT/SdDKBI Ul15xvuWLcNa4VZxJM1I/1nNzVzf24WI
xeiNK/h7/nHpIXSnF+mtoSWU fJk=


So to me this looks really strange!

Thanks for help to figure out what's wrong,
Uwe


>  On 03/05/16 21:50, Uwe Schindler wrote:
> > Hi Simon,
> >
> > It looks like the provider's DNS really has outdated data in cache - look at
> the TTLs - so it should be fine tomorrow:
> >
> > thetaphi at sirius:~$ dig @212.202.215.1 rrsig  paypal.com
> >
> > ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @212.202.215.1 rrsig paypal.com
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30623
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ;; QUESTION SECTION:
> > ;paypal.com.                    IN      RRSIG
> >
> > ;; ANSWER SECTION:
> > paypal.com.             48496   IN      RRSIG   DS 8 2 86400 20160510041550
> 20160503030550 34745 com. s3zvdSp0slicIVJlfv8Sn9SSuVf/Bm
> > /98F9waWkNwGouczKhJSpFjdso
> DmVzQF7Ak4vIRZ5KfaKE4c5WyZYGJd0SF1nYXAFhpnJKtRu70JWjoktm
> cO6hobbykndsh0GIKsRA3xZ2sn0Oc72/0q0JtzHI5xeIXeMD
> > e1ZI3zv+ sJY=
> >
> > ;; Query time: 12 msec
> > ;; SERVER: 212.202.215.1#53(212.202.215.1)
> > ;; WHEN: Tue May 03 22:46:09 CEST 2016
> > ;; MSG SIZE  rcvd: 202
> >
> > thetaphi at sirius:~$ dig @8.8.8.8 rrsig  paypal.com
> >
> > ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @8.8.8.8 rrsig paypal.com
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8497
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 512
> > ;; QUESTION SECTION:
> > ;paypal.com.                    IN      RRSIG
> >
> > ;; ANSWER SECTION:
> > paypal.com.             3599    IN      RRSIG   SOA 5 2 3600 20160602174036
> 20160503164036 11811 paypal.com. dzYkv7I/DjMR0YRmpjql1g5
> > r9Zsi9bAzRsm6Wlq/9WIxKn3eokdcs8jN
> LtfXmChnQ6CIitzsOXZj0pvMHiq8Ah3QX3yBrqec79wELScwXl2G++5v
> 0940s6+JasAFnKCHRPP5KHn1csNlphflXkinG+Iok
> > mYoyskwwCOCaADA NyM=
> > paypal.com.             299     IN      RRSIG   NS 5 2 300 20160515070943
> 20160415062816 11811 paypal.com. wqK0n6fI2hSu9oteS0TLeZMqY
> > 80KOsun/UGDCMx+pCqIYiGQtvuqntwb
> pIBevESXYk3LLGbqWdPTSE+bkmJmsgy9JpcocLbhvyo6XWlx0F/WnC2G
> tWFEJ8h69hy/sIWthKfPk3LWkWe+1eitQt3wKpNSYjS
> > hepqlfmyRPZfx 9/s=
> > paypal.com.             299     IN      RRSIG   A 5 2 300 20160531230346
> 20160501221243 11811 paypal.com. EKbwsch90FNP5Yl9gkZbfbhQKF
> > gokzm2O0QH/1cQ6RXtxr7pwsb+9wqH
> PcFxfw4IzBum5sAdmVFT1mHR7ZQWHLfIiPCpKhXXwWm/VDhcuQ2dTs9m
> mvc9cP7dige2a31e+gQdDCsWSr9NrXuGt4qSBgYACGtr
> > CCLKyKw2j/cv Y5g=
> > paypal.com.             3599    IN      RRSIG   MX 5 2 3600 20160531040805
> 20160501035950 11811 paypal.com. aAv3qokZSJmKumTNGaOs9V/z
> > d58/o8XHyIPrKQvNWul/JGxyoo43Fdjh
> 0vV0YlD/vhtkWgZxH/6+Z/te0ZvRnnk/uGVbt4HH9MYSVR2QDikSNfCm
> 04oKSthHN/joi7pjxuzbyklZOmuFjhcJPLpgXiKbAC
> > vRnZwfcWJwwOuA DT8=
> > paypal.com.             299     IN      RRSIG   TXT 5 2 300 20160516071400
> 20160416070722 11811 paypal.com. sDw3CY6FnMrue5rF4rLlLnbA
> > U1/y0ybiHtZOtTwZ/qR9EvmWkI/lVwUG
> +gNoepkBub98OemTz+DTN4qslZwj79cSEyP1YFWWInylS1+2r22E2HrB
> vNpUmNwrW5kl/Tms8hats8uAXwu0UwD2GjyNcrq78I
> > gaDHnGqQA0zacp lW4=
> > paypal.com.             59      IN      RRSIG   NSEC 5 2 60 20160527190908
> 20160427184249 11811 paypal.com. I1AR8lkCcXdNAsjTUmxWPSj5
> > XRUCC+rcJ0DWKoSGxR6EHKOfKhDpmeBY
> MonF4NWn2nIHIRO712NsWg7BxH9SVfmBEXzDLlrunuGAI1gZZmkL1Yo0
> 2uFQo/l6oACeG13iE9Cnsku7hnPxaOP05TNrA5ipgH
> > 4Mq0VkDXSjFZ9k g20=
> > paypal.com.             599     IN      RRSIG   DNSKEY 5 2 600 20160525214249
> 20160425205549 11811 paypal.com. gXurHNSMnEJHnlOg/VT+J
> > NFIr5qT9wsaNh8wnp4OUUWCfUhmHoPJfDPB
> GCdRjN+4vF6HtXNXLfjLGcDqMMfFlIGsrVwMqR1UWf+ctV2zXfHVNRKz
> 9sgeai2Gwx4gxtEUDJj7j4+eDW8c3fg/QwJWHK1
> > bMciOC8JRmFXdDfwg xlw=
> > paypal.com.             599     IN      RRSIG   DNSKEY 5 2 600 20160525214249
> 20160425205549 21037 paypal.com. DIuMSuB4N6+VWeItBGwpe
> > 9lf9o0wdtACVk86/X4EXcB8ULx4BytTS4Qr
> SiY5D+KgJX48X/f6YLzJ30j0HgCzl8JHQEaznh/mW23YvCA3g6UUSzDd
> /lDHEC7pn1sAUI1HQuHDAB5dfAvWS5fPdCjNBUu
> > lAQztZ65QDcqvSxlC
> 5T+GPIrHi2mG/UfspgvfOc+kVU+HLivXKJhTlT2j+w2ZPrUk1vrIS/5v
> oVQyNiNVyU2pTGTT+bng1QTzVN6LQaYA45aqH1CCZ7e64YkuYg+47+sy
> > Zcg5CK7dnglt8KQmQrgGpEpuFvjJ2S+9GcJ3tDOWMl60zf9FpPmmqJ8I
> 53BYFg==
> >
> > ;; Query time: 46 msec
> > ;; SERVER: 8.8.8.8#53(8.8.8.8)
> > ;; WHEN: Tue May 03 22:46:41 CEST 2016
> > ;; MSG SIZE  rcvd: 1527
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe at thetaphi.de
> >
> >> -----Original Message-----
> >> From: Simon Kelley [mailto:simon at thekelleys.org.uk]
> >> Sent: Tuesday, May 03, 2016 6:42 PM
> >> To: Uwe Schindler <uwe at thetaphi.de>; dnsmasq-
> >> discuss at lists.thekelleys.org.uk
> >> Subject: Re: [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no
> >> longer work
> >>
> >> On 03/05/16 15:56, Uwe Schindler wrote:
> >>> Hi,
> >>>
> >>> I have the feeling that 212.202.215.1 (my DNS server) has cached an
> >>> old response with outdated key. Could this happen?
> >>
> >> It shouldn't, but it could, mainly if paypal got something wrong (for
> >> instance RRSIGS have times before which they're not valid and times
> >> after which they're not valid. If your server has cached an RRSIG with a
> >> long TTL so that it's returning an RRSIG that's out of time, that could
> >> explain this.)
> >>
> >>
> >> I run dnsmasq with DNSSEC enabled in production and keep logs. Every so
> >> often I check the logs and look at the domains which failed DNSSEC. 95%
> >> of the time, by the time I get to do the check, the queries complete
> >> successfully. Transient errors seem to be a fact of life with DNSSEC.
> >>
> >>> In general DNSSEC
> >>> works perfectly fine, but just this domain fails for me. I was
> >>> expecting that maybe PayPal updated to newest signature/encryption
> >>> algorithms that are not yet supported by dnsmasq. But as it works for
> >>> you, I think it must be something else.
> >>>
> >>> I will keep you informed if the problem still exists tomorrow. Is
> >>> there a way to get more debug output *what* exactly has failed?
> >>
> >> The result of the queries
> >>
> >>
> >>  dig @212.202.215.1 +cd  +dnssec  paypal.com
> >>  dig @212.202.215.1 rrsig  paypal.com
> >>
> >> would be interesting.
> >>
> >> Cheers,
> >>
> >> Simon.
> >>
> >>>
> >>> Uwe
> >>>
> >>> ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
> >>> http://www.thetaphi.de eMail: uwe at thetaphi.de
> >>>
> >>>> -----Original Message----- From: Dnsmasq-discuss
> >>>> [mailto:dnsmasq-discuss- bounces at lists.thekelleys.org.uk] On Behalf
> >>>> Of Simon Kelley Sent: Tuesday, May 03, 2016 4:04 PM To:
> >>>> dnsmasq-discuss at lists.thekelleys.org.uk Subject: Re:
> >>>> [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
> >>>>
> >>>>
> >>>> I just tried it here, forwarding to 8.8.8.8 and 8.8.4.4 and it
> >>>> works.
> >>>>
> >>>> paypal.com is signed and status SECURE www.paypal.com is INSECURE.
> >>>>
> >>>>
> >>>> The server you're using (212.202.215.1) won't reply to DNS queries
> >>>> for me, so I couldn't check that.
> >>>>
> >>>>
> >>>> Cheers,
> >>>>
> >>>> Simon.
> >>>>
> >>>>
> >>>> On 03/05/16 11:57, Uwe Schindler wrote:
> >>>>> I just noticed that dnsmasq no longer resolves paypal.com and
> >>>>> ist
> >>>> subdomains correctly. Other DNSSEC secured domains (like my own)
> >>>> work.
> >>>>>
> >>>>> # dig paypal.com
> >>>>>
> >>>>> ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com ;; global
> >>>>> options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,
> >>>>> status: SERVFAIL, id: 51807 ;; flags: qr rd ra; QUERY: 1, ANSWER:
> >>>>> 0, AUTHORITY: 0, ADDITIONAL: 1
> >>>>>
> >>>>> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
> >>>>> QUESTION SECTION: ;paypal.com.                    IN      A
> >>>>>
> >>>>> ;; Query time: 22 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;;
> >>>>> WHEN: Tue May 03 12:49:13 CEST 2016 ;; MSG SIZE  rcvd: 39
> >>>>>
> >>>>> If the query log is enabled, it shows:
> >>>>>
> >>>>> May  3 12:49:13 sirius dnsmasq[3835]: query[A] paypal.com from
> >>>>> 127.0.0.1 May  3 12:49:13 sirius dnsmasq[3835]: forwarded
> >>>>> paypal.com to
> >>>> 212.202.215.1
> >>>>> May  3 12:49:13 sirius dnsmasq[3835]: dnssec-query[DS] paypal.com
> >>>>> to
> >>>> 212.202.215.1
> >>>>> May  3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is DS
> >>>>> keytag 21037,
> >>>> algo 5, digest 2
> >>>>> May  3 12:49:13 sirius dnsmasq[3835]: validation paypal.com is
> >>>>> BOGUS May  3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is
> >>>>> 66.211.169.66 May  3 12:49:13 sirius dnsmasq[3835]: reply
> >>>>> paypal.com is 66.211.169.3
> >>>>>
> >>>>> I encountered the error for the first time with
> >>>>> dnsmasq-2.76test8, but the
> >>>> problem did not change after upgrading to dnsmasq-2.76test13.
> >>>>>
> >>>>> My config is:
> >>>>>
> >>>>> # dnssec conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
> >>>>> dnssec dnssec-check-unsigned
> >>>>>
> >>>>> Verisign's checker says everything is OK with paypal.com.
> >>>>>
> >>>>> Uwe
> >>>>>
> >>>>> ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
> >>>>> http://www.thetaphi.de eMail: uwe at thetaphi.de
> >>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> Dnsmasq-
> >> discuss
> >>>>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> >>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>>>
> >>>>
> >>>
> >>>
> >>>
> >
> >




More information about the Dnsmasq-discuss mailing list