[dns-operations] Paypal DNSSEC issue

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Apr 15 08:08:25 UTC 2019 

[It started apparently more than 36 hours ago. Found and analyzed by
Daniel Stirnimann.]

www.paypal.com is an alias of www.glb.paypal.com. glb.paypal.com is a
separate zone. It has two groups of authoritative name servers,
*.nsone.net and *.paypalinc.com. No problem with the first group, but
the second does not send back DNSSEC signatures.

% dig +dnssec @dns3.p10.nsone.net DNSKEY glb.paypal.com

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec @dns3.p10.nsone.net DNSKEY glb.paypal.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38197
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;glb.paypal.com.		IN DNSKEY

;; ANSWER SECTION:
glb.paypal.com.		3600 IN	DNSKEY 257 3 13 (
				t+4DPP+MFZ0Cr7gAXiDYv6HTyXzq/O2ESVRLc/ysuh5x
				BXKIsjsj5baV1HzhBNo2F7mbsevsEo0/6UEL8+JBmA==
				) ; KSK; alg = ECDSAP256SHA256; key id = 48553
glb.paypal.com.		3600 IN	DNSKEY 256 3 13 (
				pxEUulkf8UZtE9fy2+4wJwM44xncypgGVps4hE4kQGA5
				TuC/XJPoKBX6e3B/QL9AmwFCgyFeC4uRNxoqxK0xOg==
				) ; ZSK; alg = ECDSAP256SHA256; key id = 44688
glb.paypal.com.		3600 IN	DNSKEY 256 3 13 (
				qjjoeqPSo312QaF0bSDMw/k7lxRz43ZeBBmSHzCf4Nh3
				1Z+m5a9IfFTk0MzrogOOylCsORflZTKYHPPISl6Zdw==
				) ; ZSK; alg = ECDSAP256SHA256; key id = 4054
glb.paypal.com.		3600 IN	RRSIG DNSKEY 13 3 3600 (
				20190421221524 20190413221524 48553 glb.paypal.com.
				JEmTuJoe5Zv92lPW6BTlc0IlRabrskv5kCossY6TtkWI
				vz5jg6+q7ufNCjVbU0hRqNnvaifEAclpIdsNU65FMQ== )

;; Query time: 12 msec
;; SERVER: 2620:4d:4000:6259:7::a0#53(2620:4d:4000:6259:7::a0)
;; WHEN: Mon Apr 15 10:05:47 CEST 2019
;; MSG SIZE  rcvd: 393


% dig +dnssec @ns03.glb.paypalinc.com. DNSKEY glb.paypal.com

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec @ns03.glb.paypalinc.com. DNSKEY glb.paypal.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20506
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;glb.paypal.com.		IN DNSKEY

;; ANSWER SECTION:
glb.paypal.com.		3600 IN	DNSKEY 257 3 13 (
				t+4DPP+MFZ0Cr7gAXiDYv6HTyXzq/O2ESVRLc/ysuh5x
				BXKIsjsj5baV1HzhBNo2F7mbsevsEo0/6UEL8+JBmA==
				) ; KSK; alg = ECDSAP256SHA256; key id = 48553
glb.paypal.com.		3600 IN	DNSKEY 256 3 13 (
				pxEUulkf8UZtE9fy2+4wJwM44xncypgGVps4hE4kQGA5
				TuC/XJPoKBX6e3B/QL9AmwFCgyFeC4uRNxoqxK0xOg==
				) ; ZSK; alg = ECDSAP256SHA256; key id = 44688
glb.paypal.com.		3600 IN	DNSKEY 256 3 13 (
				qjjoeqPSo312QaF0bSDMw/k7lxRz43ZeBBmSHzCf4Nh3
				1Z+m5a9IfFTk0MzrogOOylCsORflZTKYHPPISl6Zdw==
				) ; ZSK; alg = ECDSAP256SHA256; key id = 4054

;; Query time: 11 msec
;; SERVER: 45.54.78.129#53(45.54.78.129)
;; WHEN: Mon Apr 15 10:05:59 CEST 2019
;; MSG SIZE  rcvd: 283

Since some of the authoritative name servers still serve signatures,
most resolvers manage to resolve the names, probably because they
retry with other authoritative name servers. But a few resolvers are
apparently too sensitive and return SERVFAIL. 

[Paypal was informed.]

More information about the dns-operations mailing list