[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work

Uwe Schindler uwe at thetaphi.de
Wed May 4 21:57:49 BST 2016


Hi Simon,

> Well, that's the smoking gun. Dnsmasq is doing the right thing, and your
> upstream server at 212.202.215.1 is broken. I realise that doesn't solve
> the problem, but at least you know where to work now :)
> 
> 
> (the reason dnsmasq is returning SERVFAIL is that there's a
> chain-of-trust from the root that says paypal.com is signed, If the
> answer to the paypal.com query isn't signed, it may be a false answer,
> so it can't be trusted.)

Of course this is the right thing to do!

I will contact the upstream provider and ask them to fix this!

Interestingly, two of their three IPv4 DNS servers have the problem. The 3rd one and all three IPv6 DNS servers are working fine. This explains why it sometimes worked.

Maybe a good idea is: If a DNSSEC query fails and DNSMASQ knows more servers, retry on others, too?

Uwe




More information about the Dnsmasq-discuss mailing list