[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
Uwe Schindler
uwe at thetaphi.de
Sat May 14 19:55:58 BST 2016
Hi Simon,
> > Well, that's the smoking gun. Dnsmasq is doing the right thing, and your
> > upstream server at 212.202.215.1 is broken. I realise that doesn't solve
> > the problem, but at least you know where to work now :)
> >
> >
> > (the reason dnsmasq is returning SERVFAIL is that there's a
> > chain-of-trust from the root that says paypal.com is signed, If the
> > answer to the paypal.com query isn't signed, it may be a false answer,
> > so it can't be trusted.)
>
> Of course this is the right thing to do!
>
> I will contact the upstream provider and ask them to fix this!
>
> Interestingly, two of their three IPv4 DNS servers have the problem. The 3rd
> one and all three IPv6 DNS servers are working fine. This explains why it
> sometimes worked.
>
> Maybe a good idea is: If a DNSSEC query fails and DNSMASQ knows more
> servers, retry on others, too?
What do you think about this proposal?
Uwe
More information about the Dnsmasq-discuss
mailing list