[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work

Simon Kelley simon at thekelleys.org.uk
Sat May 14 21:43:09 BST 2016

On 14/05/16 19:55, Uwe Schindler wrote:
> Hi Simon,
>>> Well, that's the smoking gun. Dnsmasq is doing the right thing, and your
>>> upstream server at is broken. I realise that doesn't solve
>>> the problem, but at least you know where to work now :)
>>> (the reason dnsmasq is returning SERVFAIL is that there's a
>>> chain-of-trust from the root that says paypal.com is signed, If the
>>> answer to the paypal.com query isn't signed, it may be a false answer,
>>> so it can't be trusted.)
>> Of course this is the right thing to do!
>> I will contact the upstream provider and ask them to fix this!
>> Interestingly, two of their three IPv4 DNS servers have the problem. The 3rd
>> one and all three IPv6 DNS servers are working fine. This explains why it
>> sometimes worked.
>> Maybe a good idea is: If a DNSSEC query fails and DNSMASQ knows more
>> servers, retry on others, too?
> What do you think about this proposal?

The problem, is that there are many paths that cause DNSSEC validation
to fail, and for most of the them, it's not obvious which query to retry
and if that would help. In this case retrying the query would be
possible, but in most cases, not. If a DNSSEC validation fails, there
are many pieces of data that go into that validation, it's not possible
to retry all of them and difficult to determine which answers are good
and which bad.

In the end, to do DNSSEC, you need upstream servers which provide the data.



More information about the Dnsmasq-discuss mailing list