Discussion:
[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
Uwe Schindler
2016-05-03 10:57:43 UTC
Permalink
I just noticed that dnsmasq no longer resolves paypal.com and ist subdomains correctly. Other DNSSEC secured domains (like my own) work.

# dig paypal.com

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51807
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;paypal.com. IN A

;; Query time: 22 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 03 12:49:13 CEST 2016
;; MSG SIZE rcvd: 39

If the query log is enabled, it shows:

May 3 12:49:13 sirius dnsmasq[3835]: query[A] paypal.com from 127.0.0.1
May 3 12:49:13 sirius dnsmasq[3835]: forwarded paypal.com to 212.202.215.1
May 3 12:49:13 sirius dnsmasq[3835]: dnssec-query[DS] paypal.com to 212.202.215.1
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is DS keytag 21037, algo 5, digest 2
May 3 12:49:13 sirius dnsmasq[3835]: validation paypal.com is BOGUS
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is 66.211.169.66
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is 66.211.169.3

I encountered the error for the first time with dnsmasq-2.76test8, but the problem did not change after upgrading to dnsmasq-2.76test13.

My config is:

# dnssec
conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec
dnssec-check-unsigned

Verisign's checker says everything is OK with paypal.com.

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: ***@thetaphi.de
Simon Kelley
2016-05-03 14:04:21 UTC
Permalink
I just tried it here, forwarding to 8.8.8.8 and 8.8.4.4 and it works.

paypal.com is signed and status SECURE
www.paypal.com is INSECURE.


The server you're using (212.202.215.1) won't reply to DNS queries for
me, so I couldn't check that.


Cheers,

Simon.
Post by Uwe Schindler
I just noticed that dnsmasq no longer resolves paypal.com and ist subdomains correctly. Other DNSSEC secured domains (like my own) work.
# dig paypal.com
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51807
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags:; udp: 4096
;paypal.com. IN A
;; Query time: 22 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 03 12:49:13 CEST 2016
;; MSG SIZE rcvd: 39
May 3 12:49:13 sirius dnsmasq[3835]: query[A] paypal.com from 127.0.0.1
May 3 12:49:13 sirius dnsmasq[3835]: forwarded paypal.com to 212.202.215.1
May 3 12:49:13 sirius dnsmasq[3835]: dnssec-query[DS] paypal.com to 212.202.215.1
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is DS keytag 21037, algo 5, digest 2
May 3 12:49:13 sirius dnsmasq[3835]: validation paypal.com is BOGUS
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is 66.211.169.66
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is 66.211.169.3
I encountered the error for the first time with dnsmasq-2.76test8, but the problem did not change after upgrading to dnsmasq-2.76test13.
# dnssec
conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec
dnssec-check-unsigned
Verisign's checker says everything is OK with paypal.com.
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Uwe Schindler
2016-05-03 14:56:31 UTC
Permalink
Hi,

I have the feeling that 212.202.215.1 (my DNS server) has cached an old response with outdated key. Could this happen? In general DNSSEC works perfectly fine, but just this domain fails for me. I was expecting that maybe PayPal updated to newest signature/encryption algorithms that are not yet supported by dnsmasq. But as it works for you, I think it must be something else.

I will keep you informed if the problem still exists tomorrow. Is there a way to get more debug output *what* exactly has failed?

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
-----Original Message-----
From: Dnsmasq-discuss [mailto:dnsmasq-discuss-
Sent: Tuesday, May 03, 2016 4:04 PM
Subject: Re: [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no
longer work
I just tried it here, forwarding to 8.8.8.8 and 8.8.4.4 and it works.
paypal.com is signed and status SECURE
www.paypal.com is INSECURE.
The server you're using (212.202.215.1) won't reply to DNS queries for
me, so I couldn't check that.
Cheers,
Simon.
Post by Uwe Schindler
I just noticed that dnsmasq no longer resolves paypal.com and ist
subdomains correctly. Other DNSSEC secured domains (like my own) work.
Post by Uwe Schindler
# dig paypal.com
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51807
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags:; udp: 4096
;paypal.com. IN A
;; Query time: 22 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 03 12:49:13 CEST 2016
;; MSG SIZE rcvd: 39
May 3 12:49:13 sirius dnsmasq[3835]: query[A] paypal.com from 127.0.0.1
May 3 12:49:13 sirius dnsmasq[3835]: forwarded paypal.com to
212.202.215.1
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: dnssec-query[DS] paypal.com to
212.202.215.1
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is DS keytag 21037,
algo 5, digest 2
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: validation paypal.com is BOGUS
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is 66.211.169.66
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is 66.211.169.3
I encountered the error for the first time with dnsmasq-2.76test8, but the
problem did not change after upgrading to dnsmasq-2.76test13.
Post by Uwe Schindler
# dnssec
conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec
dnssec-check-unsigned
Verisign's checker says everything is OK with paypal.com.
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Simon Kelley
2016-05-03 16:42:19 UTC
Permalink
Post by Uwe Schindler
Hi,
I have the feeling that 212.202.215.1 (my DNS server) has cached an
old response with outdated key. Could this happen?
It shouldn't, but it could, mainly if paypal got something wrong (for
instance RRSIGS have times before which they're not valid and times
after which they're not valid. If your server has cached an RRSIG with a
long TTL so that it's returning an RRSIG that's out of time, that could
explain this.)


I run dnsmasq with DNSSEC enabled in production and keep logs. Every so
often I check the logs and look at the domains which failed DNSSEC. 95%
of the time, by the time I get to do the check, the queries complete
successfully. Transient errors seem to be a fact of life with DNSSEC.
Post by Uwe Schindler
In general DNSSEC
works perfectly fine, but just this domain fails for me. I was
expecting that maybe PayPal updated to newest signature/encryption
algorithms that are not yet supported by dnsmasq. But as it works for
you, I think it must be something else.
I will keep you informed if the problem still exists tomorrow. Is
there a way to get more debug output *what* exactly has failed?
The result of the queries


dig @212.202.215.1 +cd +dnssec paypal.com
dig @212.202.215.1 rrsig paypal.com

would be interesting.

Cheers,

Simon.
Post by Uwe Schindler
Uwe
----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
-----Original Message----- From: Dnsmasq-discuss
[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
I just tried it here, forwarding to 8.8.8.8 and 8.8.4.4 and it works.
paypal.com is signed and status SECURE www.paypal.com is INSECURE.
The server you're using (212.202.215.1) won't reply to DNS queries
for me, so I couldn't check that.
Cheers,
Simon.
Post by Uwe Schindler
I just noticed that dnsmasq no longer resolves paypal.com and ist
subdomains correctly. Other DNSSEC secured domains (like my own) work.
Post by Uwe Schindler
# dig paypal.com
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com ;; global
options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,
0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
QUESTION SECTION: ;paypal.com. IN A
;; Query time: 22 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;;
WHEN: Tue May 03 12:49:13 CEST 2016 ;; MSG SIZE rcvd: 39
May 3 12:49:13 sirius dnsmasq[3835]: query[A] paypal.com from
127.0.0.1 May 3 12:49:13 sirius dnsmasq[3835]: forwarded
paypal.com to
212.202.215.1
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: dnssec-query[DS] paypal.com to
212.202.215.1
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is DS
keytag 21037,
algo 5, digest 2
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: validation paypal.com is
BOGUS May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is
66.211.169.66 May 3 12:49:13 sirius dnsmasq[3835]: reply
paypal.com is 66.211.169.3
I encountered the error for the first time with
dnsmasq-2.76test8, but the
problem did not change after upgrading to dnsmasq-2.76test13.
Post by Uwe Schindler
# dnssec conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec dnssec-check-unsigned
Verisign's checker says everything is OK with paypal.com.
Uwe
----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Uwe Schindler
2016-05-03 20:50:26 UTC
Permalink
Hi Simon,

It looks like the provider's DNS really has outdated data in cache - look at the TTLs - so it should be fine tomorrow:

***@sirius:~$ dig @212.202.215.1 rrsig paypal.com

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @212.202.215.1 rrsig paypal.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30623
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;paypal.com. IN RRSIG

;; ANSWER SECTION:
paypal.com. 48496 IN RRSIG DS 8 2 86400 20160510041550 20160503030550 34745 com. s3zvdSp0slicIVJlfv8Sn9SSuVf/Bm
/98F9waWkNwGouczKhJSpFjdso DmVzQF7Ak4vIRZ5KfaKE4c5WyZYGJd0SF1nYXAFhpnJKtRu70JWjoktm cO6hobbykndsh0GIKsRA3xZ2sn0Oc72/0q0JtzHI5xeIXeMD
e1ZI3zv+ sJY=

;; Query time: 12 msec
;; SERVER: 212.202.215.1#53(212.202.215.1)
;; WHEN: Tue May 03 22:46:09 CEST 2016
;; MSG SIZE rcvd: 202

***@sirius:~$ dig @8.8.8.8 rrsig paypal.com

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @8.8.8.8 rrsig paypal.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8497
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;paypal.com. IN RRSIG

;; ANSWER SECTION:
paypal.com. 3599 IN RRSIG SOA 5 2 3600 20160602174036 20160503164036 11811 paypal.com. dzYkv7I/DjMR0YRmpjql1g5
r9Zsi9bAzRsm6Wlq/9WIxKn3eokdcs8jN LtfXmChnQ6CIitzsOXZj0pvMHiq8Ah3QX3yBrqec79wELScwXl2G++5v 0940s6+JasAFnKCHRPP5KHn1csNlphflXkinG+Iok
mYoyskwwCOCaADA NyM=
paypal.com. 299 IN RRSIG NS 5 2 300 20160515070943 20160415062816 11811 paypal.com. wqK0n6fI2hSu9oteS0TLeZMqY
80KOsun/UGDCMx+pCqIYiGQtvuqntwb pIBevESXYk3LLGbqWdPTSE+bkmJmsgy9JpcocLbhvyo6XWlx0F/WnC2G tWFEJ8h69hy/sIWthKfPk3LWkWe+1eitQt3wKpNSYjS
hepqlfmyRPZfx 9/s=
paypal.com. 299 IN RRSIG A 5 2 300 20160531230346 20160501221243 11811 paypal.com. EKbwsch90FNP5Yl9gkZbfbhQKF
gokzm2O0QH/1cQ6RXtxr7pwsb+9wqH PcFxfw4IzBum5sAdmVFT1mHR7ZQWHLfIiPCpKhXXwWm/VDhcuQ2dTs9m mvc9cP7dige2a31e+gQdDCsWSr9NrXuGt4qSBgYACGtr
CCLKyKw2j/cv Y5g=
paypal.com. 3599 IN RRSIG MX 5 2 3600 20160531040805 20160501035950 11811 paypal.com. aAv3qokZSJmKumTNGaOs9V/z
d58/o8XHyIPrKQvNWul/JGxyoo43Fdjh 0vV0YlD/vhtkWgZxH/6+Z/te0ZvRnnk/uGVbt4HH9MYSVR2QDikSNfCm 04oKSthHN/joi7pjxuzbyklZOmuFjhcJPLpgXiKbAC
vRnZwfcWJwwOuA DT8=
paypal.com. 299 IN RRSIG TXT 5 2 300 20160516071400 20160416070722 11811 paypal.com. sDw3CY6FnMrue5rF4rLlLnbA
U1/y0ybiHtZOtTwZ/qR9EvmWkI/lVwUG +gNoepkBub98OemTz+DTN4qslZwj79cSEyP1YFWWInylS1+2r22E2HrB vNpUmNwrW5kl/Tms8hats8uAXwu0UwD2GjyNcrq78I
gaDHnGqQA0zacp lW4=
paypal.com. 59 IN RRSIG NSEC 5 2 60 20160527190908 20160427184249 11811 paypal.com. I1AR8lkCcXdNAsjTUmxWPSj5
XRUCC+rcJ0DWKoSGxR6EHKOfKhDpmeBY MonF4NWn2nIHIRO712NsWg7BxH9SVfmBEXzDLlrunuGAI1gZZmkL1Yo0 2uFQo/l6oACeG13iE9Cnsku7hnPxaOP05TNrA5ipgH
4Mq0VkDXSjFZ9k g20=
paypal.com. 599 IN RRSIG DNSKEY 5 2 600 20160525214249 20160425205549 11811 paypal.com. gXurHNSMnEJHnlOg/VT+J
NFIr5qT9wsaNh8wnp4OUUWCfUhmHoPJfDPB GCdRjN+4vF6HtXNXLfjLGcDqMMfFlIGsrVwMqR1UWf+ctV2zXfHVNRKz 9sgeai2Gwx4gxtEUDJj7j4+eDW8c3fg/QwJWHK1
bMciOC8JRmFXdDfwg xlw=
paypal.com. 599 IN RRSIG DNSKEY 5 2 600 20160525214249 20160425205549 21037 paypal.com. DIuMSuB4N6+VWeItBGwpe
9lf9o0wdtACVk86/X4EXcB8ULx4BytTS4Qr SiY5D+KgJX48X/f6YLzJ30j0HgCzl8JHQEaznh/mW23YvCA3g6UUSzDd /lDHEC7pn1sAUI1HQuHDAB5dfAvWS5fPdCjNBUu
lAQztZ65QDcqvSxlC 5T+GPIrHi2mG/UfspgvfOc+kVU+HLivXKJhTlT2j+w2ZPrUk1vrIS/5v oVQyNiNVyU2pTGTT+bng1QTzVN6LQaYA45aqH1CCZ7e64YkuYg+47+sy
Zcg5CK7dnglt8KQmQrgGpEpuFvjJ2S+9GcJ3tDOWMl60zf9FpPmmqJ8I 53BYFg==

;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 03 22:46:41 CEST 2016
;; MSG SIZE rcvd: 1527

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
-----Original Message-----
Sent: Tuesday, May 03, 2016 6:42 PM
Subject: Re: [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no
longer work
Post by Uwe Schindler
Hi,
I have the feeling that 212.202.215.1 (my DNS server) has cached an
old response with outdated key. Could this happen?
It shouldn't, but it could, mainly if paypal got something wrong (for
instance RRSIGS have times before which they're not valid and times
after which they're not valid. If your server has cached an RRSIG with a
long TTL so that it's returning an RRSIG that's out of time, that could
explain this.)
I run dnsmasq with DNSSEC enabled in production and keep logs. Every so
often I check the logs and look at the domains which failed DNSSEC. 95%
of the time, by the time I get to do the check, the queries complete
successfully. Transient errors seem to be a fact of life with DNSSEC.
Post by Uwe Schindler
In general DNSSEC
works perfectly fine, but just this domain fails for me. I was
expecting that maybe PayPal updated to newest signature/encryption
algorithms that are not yet supported by dnsmasq. But as it works for
you, I think it must be something else.
I will keep you informed if the problem still exists tomorrow. Is
there a way to get more debug output *what* exactly has failed?
The result of the queries
would be interesting.
Cheers,
Simon.
Post by Uwe Schindler
Uwe
----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
-----Original Message----- From: Dnsmasq-discuss
[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
I just tried it here, forwarding to 8.8.8.8 and 8.8.4.4 and it works.
paypal.com is signed and status SECURE www.paypal.com is INSECURE.
The server you're using (212.202.215.1) won't reply to DNS queries
for me, so I couldn't check that.
Cheers,
Simon.
Post by Uwe Schindler
I just noticed that dnsmasq no longer resolves paypal.com and ist
subdomains correctly. Other DNSSEC secured domains (like my own) work.
Post by Uwe Schindler
# dig paypal.com
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com ;; global
options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,
0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
QUESTION SECTION: ;paypal.com. IN A
;; Query time: 22 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;;
WHEN: Tue May 03 12:49:13 CEST 2016 ;; MSG SIZE rcvd: 39
May 3 12:49:13 sirius dnsmasq[3835]: query[A] paypal.com from
127.0.0.1 May 3 12:49:13 sirius dnsmasq[3835]: forwarded
paypal.com to
212.202.215.1
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: dnssec-query[DS] paypal.com to
212.202.215.1
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is DS keytag 21037,
algo 5, digest 2
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: validation paypal.com is
BOGUS May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is
66.211.169.66 May 3 12:49:13 sirius dnsmasq[3835]: reply
paypal.com is 66.211.169.3
I encountered the error for the first time with
dnsmasq-2.76test8, but the
problem did not change after upgrading to dnsmasq-2.76test13.
Post by Uwe Schindler
# dnssec conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec dnssec-check-unsigned
Verisign's checker says everything is OK with paypal.com.
Uwe
----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
_______________________________________________ Dnsmasq-
discuss
Post by Uwe Schindler
Post by Uwe Schindler
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Simon Kelley
2016-05-03 22:01:35 UTC
Permalink
That's the same RRSIG for the DS record that Google is giving, and it
looks fine. This may be a confusion in the upstream server between auth
zones. DS records (and the RRSIG for them) come from the _parent_ zone,
ie .com.


The answer that 8.8.8.8 gives all the RRSIGS for all the records in the
child zone, A, AAAA, TXT etc, and _not_ DS.


What do you get for

dig @212.202.215.1 +dnssec paypal.com

That should include the RRSIG for the A record, if it doesn't then
212.202.215.1 is confused about the parent/child source for RRSIGS and
that's the source of the problem.


Cheers,

Simon
Post by Uwe Schindler
Hi Simon,
; (1 server found)
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30623
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags:; udp: 4096
;paypal.com. IN RRSIG
paypal.com. 48496 IN RRSIG DS 8 2 86400 20160510041550 20160503030550 34745 com. s3zvdSp0slicIVJlfv8Sn9SSuVf/Bm
/98F9waWkNwGouczKhJSpFjdso DmVzQF7Ak4vIRZ5KfaKE4c5WyZYGJd0SF1nYXAFhpnJKtRu70JWjoktm cO6hobbykndsh0GIKsRA3xZ2sn0Oc72/0q0JtzHI5xeIXeMD
e1ZI3zv+ sJY=
;; Query time: 12 msec
;; SERVER: 212.202.215.1#53(212.202.215.1)
;; WHEN: Tue May 03 22:46:09 CEST 2016
;; MSG SIZE rcvd: 202
; (1 server found)
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8497
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags:; udp: 512
;paypal.com. IN RRSIG
paypal.com. 3599 IN RRSIG SOA 5 2 3600 20160602174036 20160503164036 11811 paypal.com. dzYkv7I/DjMR0YRmpjql1g5
r9Zsi9bAzRsm6Wlq/9WIxKn3eokdcs8jN LtfXmChnQ6CIitzsOXZj0pvMHiq8Ah3QX3yBrqec79wELScwXl2G++5v 0940s6+JasAFnKCHRPP5KHn1csNlphflXkinG+Iok
mYoyskwwCOCaADA NyM=
paypal.com. 299 IN RRSIG NS 5 2 300 20160515070943 20160415062816 11811 paypal.com. wqK0n6fI2hSu9oteS0TLeZMqY
80KOsun/UGDCMx+pCqIYiGQtvuqntwb pIBevESXYk3LLGbqWdPTSE+bkmJmsgy9JpcocLbhvyo6XWlx0F/WnC2G tWFEJ8h69hy/sIWthKfPk3LWkWe+1eitQt3wKpNSYjS
hepqlfmyRPZfx 9/s=
paypal.com. 299 IN RRSIG A 5 2 300 20160531230346 20160501221243 11811 paypal.com. EKbwsch90FNP5Yl9gkZbfbhQKF
gokzm2O0QH/1cQ6RXtxr7pwsb+9wqH PcFxfw4IzBum5sAdmVFT1mHR7ZQWHLfIiPCpKhXXwWm/VDhcuQ2dTs9m mvc9cP7dige2a31e+gQdDCsWSr9NrXuGt4qSBgYACGtr
CCLKyKw2j/cv Y5g=
paypal.com. 3599 IN RRSIG MX 5 2 3600 20160531040805 20160501035950 11811 paypal.com. aAv3qokZSJmKumTNGaOs9V/z
d58/o8XHyIPrKQvNWul/JGxyoo43Fdjh 0vV0YlD/vhtkWgZxH/6+Z/te0ZvRnnk/uGVbt4HH9MYSVR2QDikSNfCm 04oKSthHN/joi7pjxuzbyklZOmuFjhcJPLpgXiKbAC
vRnZwfcWJwwOuA DT8=
paypal.com. 299 IN RRSIG TXT 5 2 300 20160516071400 20160416070722 11811 paypal.com. sDw3CY6FnMrue5rF4rLlLnbA
U1/y0ybiHtZOtTwZ/qR9EvmWkI/lVwUG +gNoepkBub98OemTz+DTN4qslZwj79cSEyP1YFWWInylS1+2r22E2HrB vNpUmNwrW5kl/Tms8hats8uAXwu0UwD2GjyNcrq78I
gaDHnGqQA0zacp lW4=
paypal.com. 59 IN RRSIG NSEC 5 2 60 20160527190908 20160427184249 11811 paypal.com. I1AR8lkCcXdNAsjTUmxWPSj5
XRUCC+rcJ0DWKoSGxR6EHKOfKhDpmeBY MonF4NWn2nIHIRO712NsWg7BxH9SVfmBEXzDLlrunuGAI1gZZmkL1Yo0 2uFQo/l6oACeG13iE9Cnsku7hnPxaOP05TNrA5ipgH
4Mq0VkDXSjFZ9k g20=
paypal.com. 599 IN RRSIG DNSKEY 5 2 600 20160525214249 20160425205549 11811 paypal.com. gXurHNSMnEJHnlOg/VT+J
NFIr5qT9wsaNh8wnp4OUUWCfUhmHoPJfDPB GCdRjN+4vF6HtXNXLfjLGcDqMMfFlIGsrVwMqR1UWf+ctV2zXfHVNRKz 9sgeai2Gwx4gxtEUDJj7j4+eDW8c3fg/QwJWHK1
bMciOC8JRmFXdDfwg xlw=
paypal.com. 599 IN RRSIG DNSKEY 5 2 600 20160525214249 20160425205549 21037 paypal.com. DIuMSuB4N6+VWeItBGwpe
9lf9o0wdtACVk86/X4EXcB8ULx4BytTS4Qr SiY5D+KgJX48X/f6YLzJ30j0HgCzl8JHQEaznh/mW23YvCA3g6UUSzDd /lDHEC7pn1sAUI1HQuHDAB5dfAvWS5fPdCjNBUu
lAQztZ65QDcqvSxlC 5T+GPIrHi2mG/UfspgvfOc+kVU+HLivXKJhTlT2j+w2ZPrUk1vrIS/5v oVQyNiNVyU2pTGTT+bng1QTzVN6LQaYA45aqH1CCZ7e64YkuYg+47+sy
Zcg5CK7dnglt8KQmQrgGpEpuFvjJ2S+9GcJ3tDOWMl60zf9FpPmmqJ8I 53BYFg==
;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 03 22:46:41 CEST 2016
;; MSG SIZE rcvd: 1527
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
-----Original Message-----
Sent: Tuesday, May 03, 2016 6:42 PM
Subject: Re: [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no
longer work
Post by Uwe Schindler
Hi,
I have the feeling that 212.202.215.1 (my DNS server) has cached an
old response with outdated key. Could this happen?
It shouldn't, but it could, mainly if paypal got something wrong (for
instance RRSIGS have times before which they're not valid and times
after which they're not valid. If your server has cached an RRSIG with a
long TTL so that it's returning an RRSIG that's out of time, that could
explain this.)
I run dnsmasq with DNSSEC enabled in production and keep logs. Every so
often I check the logs and look at the domains which failed DNSSEC. 95%
of the time, by the time I get to do the check, the queries complete
successfully. Transient errors seem to be a fact of life with DNSSEC.
Post by Uwe Schindler
In general DNSSEC
works perfectly fine, but just this domain fails for me. I was
expecting that maybe PayPal updated to newest signature/encryption
algorithms that are not yet supported by dnsmasq. But as it works for
you, I think it must be something else.
I will keep you informed if the problem still exists tomorrow. Is
there a way to get more debug output *what* exactly has failed?
The result of the queries
would be interesting.
Cheers,
Simon.
Post by Uwe Schindler
Uwe
----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
-----Original Message----- From: Dnsmasq-discuss
[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
I just tried it here, forwarding to 8.8.8.8 and 8.8.4.4 and it works.
paypal.com is signed and status SECURE www.paypal.com is INSECURE.
The server you're using (212.202.215.1) won't reply to DNS queries
for me, so I couldn't check that.
Cheers,
Simon.
Post by Uwe Schindler
I just noticed that dnsmasq no longer resolves paypal.com and ist
subdomains correctly. Other DNSSEC secured domains (like my own) work.
Post by Uwe Schindler
# dig paypal.com
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com ;; global
options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,
0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
QUESTION SECTION: ;paypal.com. IN A
;; Query time: 22 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;;
WHEN: Tue May 03 12:49:13 CEST 2016 ;; MSG SIZE rcvd: 39
May 3 12:49:13 sirius dnsmasq[3835]: query[A] paypal.com from
127.0.0.1 May 3 12:49:13 sirius dnsmasq[3835]: forwarded
paypal.com to
212.202.215.1
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: dnssec-query[DS] paypal.com to
212.202.215.1
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is DS keytag 21037,
algo 5, digest 2
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: validation paypal.com is
BOGUS May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is
66.211.169.66 May 3 12:49:13 sirius dnsmasq[3835]: reply
paypal.com is 66.211.169.3
I encountered the error for the first time with
dnsmasq-2.76test8, but the
problem did not change after upgrading to dnsmasq-2.76test13.
Post by Uwe Schindler
# dnssec conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec dnssec-check-unsigned
Verisign's checker says everything is OK with paypal.com.
Uwe
----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
_______________________________________________ Dnsmasq-
discuss
Post by Uwe Schindler
Post by Uwe Schindler
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Uwe Schindler
2016-05-04 06:29:03 UTC
Permalink
Hi,
Post by Simon Kelley
That's the same RRSIG for the DS record that Google is giving, and it
looks fine. This may be a confusion in the upstream server between auth
zones. DS records (and the RRSIG for them) come from the _parent_ zone,
ie .com.
The answer that 8.8.8.8 gives all the RRSIGS for all the records in the
child zone, A, AAAA, TXT etc, and _not_ DS.
What do you get for
That should include the RRSIG for the A record, if it doesn't then
212.202.215.1 is confused about the parent/child source for RRSIGS and
that's the source of the problem.
It is not included - you are right. The question is: what's wrong with the upstream server? (but this is nothing for discussion here).

Anyways, paypal.com still does not resolve with dnsmasq.

***@sirius:~$ dig @212.202.215.1 +dnssec paypal.com

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @212.202.215.1 +dnssec paypal.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24082
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;paypal.com. IN A

;; ANSWER SECTION:
paypal.com. 151 IN A 66.211.169.66
paypal.com. 151 IN A 66.211.169.3

;; Query time: 11 msec
;; SERVER: 212.202.215.1#53(212.202.215.1)
;; WHEN: Wed May 04 08:15:17 CEST 2016
;; MSG SIZE rcvd: 71

***@sirius:~$ dig @8.8.8.8 +dnssec paypal.com
[...]

;; ANSWER SECTION:
paypal.com. 219 IN A 66.211.169.3
paypal.com. 219 IN A 66.211.169.66
paypal.com. 219 IN RRSIG A 5 2 300 20160531230346 20160501221243 11811 paypal.com. EKbwsch90FNP5Yl9gkZbfbhQKF
gokzm2O0QH/1cQ6RXtxr7pwsb+9wqH PcFxfw4IzBum5sAdmVFT1mHR7ZQWHLfIiPCpKhXXwWm/VDhcuQ2dTs9m mvc9cP7dige2a31e+gQdDCsWSr9NrXuGt4qSBgYACGtr
CCLKyKw2j/cv Y5g=




For comparison I also added the output of my own domain, which resolves perfectly and gives valid results:

***@sirius:~$ dig @212.202.215.1 +dnssec thetaphi.de
[...]

;; ANSWER SECTION:
thetaphi.de. 28800 IN A 51.254.41.57
thetaphi.de. 28800 IN RRSIG A 7 2 28800 20160516023037 20160502061203 22788 thetaphi.de. PKbB5xz7BcyMVGzsGHv4syI
0YCjF/NARnFuEx81CFKbTX+Ecvm+52P84 kJp8lai9TMaeJSzx7nTopQCVcoysTqPJubghWHioiQR5u0gzMnMEpyXX NG2M3LpDsDsLBHFfbs9k+GbtRIQphBdcCFxBSHVPH
ak1gTJ5tIkSUxgw Vk4=


Or another one with .com:

***@sirius:~$ dig @212.202.215.1 +dnssec sd-datasolutions.com
[...]

;; ANSWER SECTION:
sd-datasolutions.com. 28800 IN A 51.254.41.57
sd-datasolutions.com. 28800 IN RRSIG A 7 2 28800 20160513035334 20160429072527 62085 sd-datasolutions.com. QcHrH/LP1EiTxX
qwiD4KA6tBF2EUSBlMxNu8IPvPu1DldqjdfVMwOHqb lUQbAUoNhzt/YyYPUHo/0lIAwUJnmEVBek+PyjJwsKUA2ekZT/SdDKBI Ul15xvuWLcNa4VZxJM1I/1nNzVzf24WI
xeiNK/h7/nHpIXSnF+mtoSWU fJk=


So to me this looks really strange!

Thanks for help to figure out what's wrong,
Uwe
Post by Simon Kelley
Post by Uwe Schindler
Hi Simon,
It looks like the provider's DNS really has outdated data in cache - look at
; (1 server found)
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30623
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags:; udp: 4096
;paypal.com. IN RRSIG
paypal.com. 48496 IN RRSIG DS 8 2 86400 20160510041550
20160503030550 34745 com. s3zvdSp0slicIVJlfv8Sn9SSuVf/Bm
Post by Uwe Schindler
/98F9waWkNwGouczKhJSpFjdso
DmVzQF7Ak4vIRZ5KfaKE4c5WyZYGJd0SF1nYXAFhpnJKtRu70JWjoktm
cO6hobbykndsh0GIKsRA3xZ2sn0Oc72/0q0JtzHI5xeIXeMD
Post by Uwe Schindler
e1ZI3zv+ sJY=
;; Query time: 12 msec
;; SERVER: 212.202.215.1#53(212.202.215.1)
;; WHEN: Tue May 03 22:46:09 CEST 2016
;; MSG SIZE rcvd: 202
; (1 server found)
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8497
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags:; udp: 512
;paypal.com. IN RRSIG
paypal.com. 3599 IN RRSIG SOA 5 2 3600 20160602174036
20160503164036 11811 paypal.com. dzYkv7I/DjMR0YRmpjql1g5
Post by Uwe Schindler
r9Zsi9bAzRsm6Wlq/9WIxKn3eokdcs8jN
LtfXmChnQ6CIitzsOXZj0pvMHiq8Ah3QX3yBrqec79wELScwXl2G++5v
0940s6+JasAFnKCHRPP5KHn1csNlphflXkinG+Iok
Post by Uwe Schindler
mYoyskwwCOCaADA NyM=
paypal.com. 299 IN RRSIG NS 5 2 300 20160515070943
20160415062816 11811 paypal.com. wqK0n6fI2hSu9oteS0TLeZMqY
Post by Uwe Schindler
80KOsun/UGDCMx+pCqIYiGQtvuqntwb
pIBevESXYk3LLGbqWdPTSE+bkmJmsgy9JpcocLbhvyo6XWlx0F/WnC2G
tWFEJ8h69hy/sIWthKfPk3LWkWe+1eitQt3wKpNSYjS
Post by Uwe Schindler
hepqlfmyRPZfx 9/s=
paypal.com. 299 IN RRSIG A 5 2 300 20160531230346
20160501221243 11811 paypal.com. EKbwsch90FNP5Yl9gkZbfbhQKF
Post by Uwe Schindler
gokzm2O0QH/1cQ6RXtxr7pwsb+9wqH
PcFxfw4IzBum5sAdmVFT1mHR7ZQWHLfIiPCpKhXXwWm/VDhcuQ2dTs9m
mvc9cP7dige2a31e+gQdDCsWSr9NrXuGt4qSBgYACGtr
Post by Uwe Schindler
CCLKyKw2j/cv Y5g=
paypal.com. 3599 IN RRSIG MX 5 2 3600 20160531040805
20160501035950 11811 paypal.com. aAv3qokZSJmKumTNGaOs9V/z
Post by Uwe Schindler
d58/o8XHyIPrKQvNWul/JGxyoo43Fdjh
0vV0YlD/vhtkWgZxH/6+Z/te0ZvRnnk/uGVbt4HH9MYSVR2QDikSNfCm
04oKSthHN/joi7pjxuzbyklZOmuFjhcJPLpgXiKbAC
Post by Uwe Schindler
vRnZwfcWJwwOuA DT8=
paypal.com. 299 IN RRSIG TXT 5 2 300 20160516071400
20160416070722 11811 paypal.com. sDw3CY6FnMrue5rF4rLlLnbA
Post by Uwe Schindler
U1/y0ybiHtZOtTwZ/qR9EvmWkI/lVwUG
+gNoepkBub98OemTz+DTN4qslZwj79cSEyP1YFWWInylS1+2r22E2HrB
vNpUmNwrW5kl/Tms8hats8uAXwu0UwD2GjyNcrq78I
Post by Uwe Schindler
gaDHnGqQA0zacp lW4=
paypal.com. 59 IN RRSIG NSEC 5 2 60 20160527190908
20160427184249 11811 paypal.com. I1AR8lkCcXdNAsjTUmxWPSj5
Post by Uwe Schindler
XRUCC+rcJ0DWKoSGxR6EHKOfKhDpmeBY
MonF4NWn2nIHIRO712NsWg7BxH9SVfmBEXzDLlrunuGAI1gZZmkL1Yo0
2uFQo/l6oACeG13iE9Cnsku7hnPxaOP05TNrA5ipgH
Post by Uwe Schindler
4Mq0VkDXSjFZ9k g20=
paypal.com. 599 IN RRSIG DNSKEY 5 2 600 20160525214249
20160425205549 11811 paypal.com. gXurHNSMnEJHnlOg/VT+J
Post by Uwe Schindler
NFIr5qT9wsaNh8wnp4OUUWCfUhmHoPJfDPB
GCdRjN+4vF6HtXNXLfjLGcDqMMfFlIGsrVwMqR1UWf+ctV2zXfHVNRKz
9sgeai2Gwx4gxtEUDJj7j4+eDW8c3fg/QwJWHK1
Post by Uwe Schindler
bMciOC8JRmFXdDfwg xlw=
paypal.com. 599 IN RRSIG DNSKEY 5 2 600 20160525214249
20160425205549 21037 paypal.com. DIuMSuB4N6+VWeItBGwpe
Post by Uwe Schindler
9lf9o0wdtACVk86/X4EXcB8ULx4BytTS4Qr
SiY5D+KgJX48X/f6YLzJ30j0HgCzl8JHQEaznh/mW23YvCA3g6UUSzDd
/lDHEC7pn1sAUI1HQuHDAB5dfAvWS5fPdCjNBUu
Post by Uwe Schindler
lAQztZ65QDcqvSxlC
5T+GPIrHi2mG/UfspgvfOc+kVU+HLivXKJhTlT2j+w2ZPrUk1vrIS/5v
oVQyNiNVyU2pTGTT+bng1QTzVN6LQaYA45aqH1CCZ7e64YkuYg+47+sy
Post by Uwe Schindler
Zcg5CK7dnglt8KQmQrgGpEpuFvjJ2S+9GcJ3tDOWMl60zf9FpPmmqJ8I
53BYFg==
Post by Uwe Schindler
;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 03 22:46:41 CEST 2016
;; MSG SIZE rcvd: 1527
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
-----Original Message-----
Sent: Tuesday, May 03, 2016 6:42 PM
Subject: Re: [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no
longer work
Post by Uwe Schindler
Hi,
I have the feeling that 212.202.215.1 (my DNS server) has cached an
old response with outdated key. Could this happen?
It shouldn't, but it could, mainly if paypal got something wrong (for
instance RRSIGS have times before which they're not valid and times
after which they're not valid. If your server has cached an RRSIG with a
long TTL so that it's returning an RRSIG that's out of time, that could
explain this.)
I run dnsmasq with DNSSEC enabled in production and keep logs. Every so
often I check the logs and look at the domains which failed DNSSEC. 95%
of the time, by the time I get to do the check, the queries complete
successfully. Transient errors seem to be a fact of life with DNSSEC.
Post by Uwe Schindler
In general DNSSEC
works perfectly fine, but just this domain fails for me. I was
expecting that maybe PayPal updated to newest signature/encryption
algorithms that are not yet supported by dnsmasq. But as it works for
you, I think it must be something else.
I will keep you informed if the problem still exists tomorrow. Is
there a way to get more debug output *what* exactly has failed?
The result of the queries
would be interesting.
Cheers,
Simon.
Post by Uwe Schindler
Uwe
----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
-----Original Message----- From: Dnsmasq-discuss
[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
I just tried it here, forwarding to 8.8.8.8 and 8.8.4.4 and it works.
paypal.com is signed and status SECURE www.paypal.com is INSECURE.
The server you're using (212.202.215.1) won't reply to DNS queries
for me, so I couldn't check that.
Cheers,
Simon.
Post by Uwe Schindler
I just noticed that dnsmasq no longer resolves paypal.com and ist
subdomains correctly. Other DNSSEC secured domains (like my own) work.
Post by Uwe Schindler
# dig paypal.com
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> paypal.com ;; global
options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,
0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
QUESTION SECTION: ;paypal.com. IN A
;; Query time: 22 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;;
WHEN: Tue May 03 12:49:13 CEST 2016 ;; MSG SIZE rcvd: 39
May 3 12:49:13 sirius dnsmasq[3835]: query[A] paypal.com from
127.0.0.1 May 3 12:49:13 sirius dnsmasq[3835]: forwarded
paypal.com to
212.202.215.1
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: dnssec-query[DS] paypal.com to
212.202.215.1
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is DS keytag 21037,
algo 5, digest 2
Post by Uwe Schindler
May 3 12:49:13 sirius dnsmasq[3835]: validation paypal.com is
BOGUS May 3 12:49:13 sirius dnsmasq[3835]: reply paypal.com is
66.211.169.66 May 3 12:49:13 sirius dnsmasq[3835]: reply
paypal.com is 66.211.169.3
I encountered the error for the first time with
dnsmasq-2.76test8, but the
problem did not change after upgrading to dnsmasq-2.76test13.
Post by Uwe Schindler
# dnssec conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec dnssec-check-unsigned
Verisign's checker says everything is OK with paypal.com.
Uwe
----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen
_______________________________________________
Dnsmasq-
Post by Uwe Schindler
discuss
Post by Uwe Schindler
Post by Uwe Schindler
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Simon Kelley
2016-05-04 20:25:17 UTC
Permalink
Post by Uwe Schindler
Post by Simon Kelley
What do you get for
That should include the RRSIG for the A record, if it doesn't then
212.202.215.1 is confused about the parent/child source for RRSIGS and
that's the source of the problem.
It is not included - you are right. The question is: what's wrong with the upstream server? (but this is nothing for discussion here).
Anyways, paypal.com still does not resolve with dnsmasq.
; (1 server found)
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24082
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags: do; udp: 4096
;paypal.com. IN A
paypal.com. 151 IN A 66.211.169.66
paypal.com. 151 IN A 66.211.169.3
;; Query time: 11 msec
;; SERVER: 212.202.215.1#53(212.202.215.1)
;; WHEN: Wed May 04 08:15:17 CEST 2016
;; MSG SIZE rcvd: 71
Well, that's the smoking gun. Dnsmasq is doing the right thing, and your
upstream server at 212.202.215.1 is broken. I realise that doesn't solve
the problem, but at least you know where to work now :)


(the reason dnsmasq is returning SERVFAIL is that there's a
chain-of-trust from the root that says paypal.com is signed, If the
answer to the paypal.com query isn't signed, it may be a false answer,
so it can't be trusted.)


Cheers,

Simon.
Uwe Schindler
2016-05-04 20:57:49 UTC
Permalink
Hi Simon,
Post by Simon Kelley
Well, that's the smoking gun. Dnsmasq is doing the right thing, and your
upstream server at 212.202.215.1 is broken. I realise that doesn't solve
the problem, but at least you know where to work now :)
(the reason dnsmasq is returning SERVFAIL is that there's a
chain-of-trust from the root that says paypal.com is signed, If the
answer to the paypal.com query isn't signed, it may be a false answer,
so it can't be trusted.)
Of course this is the right thing to do!

I will contact the upstream provider and ask them to fix this!

Interestingly, two of their three IPv4 DNS servers have the problem. The 3rd one and all three IPv6 DNS servers are working fine. This explains why it sometimes worked.

Maybe a good idea is: If a DNSSEC query fails and DNSMASQ knows more servers, retry on others, too?

Uwe
Uwe Schindler
2016-05-14 18:55:58 UTC
Permalink
Hi Simon,
Post by Uwe Schindler
Post by Simon Kelley
Well, that's the smoking gun. Dnsmasq is doing the right thing, and your
upstream server at 212.202.215.1 is broken. I realise that doesn't solve
the problem, but at least you know where to work now :)
(the reason dnsmasq is returning SERVFAIL is that there's a
chain-of-trust from the root that says paypal.com is signed, If the
answer to the paypal.com query isn't signed, it may be a false answer,
so it can't be trusted.)
Of course this is the right thing to do!
I will contact the upstream provider and ask them to fix this!
Interestingly, two of their three IPv4 DNS servers have the problem. The 3rd
one and all three IPv6 DNS servers are working fine. This explains why it
sometimes worked.
Maybe a good idea is: If a DNSSEC query fails and DNSMASQ knows more
servers, retry on others, too?
What do you think about this proposal?

Uwe
/dev/rob0
2016-05-14 19:51:50 UTC
Permalink
Post by Uwe Schindler
Post by Uwe Schindler
Post by Simon Kelley
Well, that's the smoking gun. Dnsmasq is doing the right thing,
and your upstream server at 212.202.215.1 is broken. I realise
that doesn't solve the problem, but at least you know where to
work now :)
(the reason dnsmasq is returning SERVFAIL is that there's a
chain-of-trust from the root that says paypal.com is signed,
If the answer to the paypal.com query isn't signed, it may be
a false answer, so it can't be trusted.)
Of course this is the right thing to do!
I will contact the upstream provider and ask them to fix this!
Interestingly, two of their three IPv4 DNS servers have the
problem. The 3rd one and all three IPv6 DNS servers are working
fine. This explains why it sometimes worked.
Maybe a good idea is: If a DNSSEC query fails and DNSMASQ knows
more servers, retry on others, too?
What do you think about this proposal?
Hmm.

I think the story illustrates the importance of controlling your own
upstream resolver, or at least of using one you know you can trust.

I think there are two main reasons why signatures are broken:
1. Domain manager had an error in signing and/or keys
(usually a software problem with signing)
2. DNS hijacking (not necessarily of malicious intent)

Sometimes people get started validating DNSSEC and lose their will
to be doing so after a SERVFAIL or two. Those folks are better off
disabling validation. But you're not necessarily among them, it
seems; you're just getting occasionally broken replies from the
upstream server.

The problem I have with your idea is that you don't really have an
automated means to determine the problem upstream. You simply cannot
rely on a broken upstream server if you're going to validate. So you
fall back on 8.8.8.8 for any DNSSEC failure ... but wouldn't you be
better off just using 8.8.8.8 and dumping the broken one?

I've said before what I do ... I have *both* dnsmasq and named
running; dnsmasq on port 53 and named on 127.0.0.1:1035. The named
is doing recursion only. Yes, I'm hard core. :)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Simon Kelley
2016-05-14 20:43:09 UTC
Permalink
Post by Uwe Schindler
Hi Simon,
Post by Uwe Schindler
Post by Simon Kelley
Well, that's the smoking gun. Dnsmasq is doing the right thing, and your
upstream server at 212.202.215.1 is broken. I realise that doesn't solve
the problem, but at least you know where to work now :)
(the reason dnsmasq is returning SERVFAIL is that there's a
chain-of-trust from the root that says paypal.com is signed, If the
answer to the paypal.com query isn't signed, it may be a false answer,
so it can't be trusted.)
Of course this is the right thing to do!
I will contact the upstream provider and ask them to fix this!
Interestingly, two of their three IPv4 DNS servers have the problem. The 3rd
one and all three IPv6 DNS servers are working fine. This explains why it
sometimes worked.
Maybe a good idea is: If a DNSSEC query fails and DNSMASQ knows more
servers, retry on others, too?
What do you think about this proposal?
The problem, is that there are many paths that cause DNSSEC validation
to fail, and for most of the them, it's not obvious which query to retry
and if that would help. In this case retrying the query would be
possible, but in most cases, not. If a DNSSEC validation fails, there
are many pieces of data that go into that validation, it's not possible
to retry all of them and difficult to determine which answers are good
and which bad.

In the end, to do DNSSEC, you need upstream servers which provide the data.



Cheers,

Simon.

Continue reading on narkive:
Search results for '[Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work' (Questions and Answers)
3
replies
what is DNS?what is Active Directory?what is patch file?
started 2006-10-10 03:15:22 UTC
computer networking
Loading...