Anyone with contacts at Paypal and/or Ultradns?

Tom Ivar Helbekkmo tih at hamartun.priv.no
Wed Dec 11 17:06:08 UTC 2019


Viktor Dukhovni <ietf-dane at dukhovni.org> writes:

> A word of unsolicated advice (you're more than free to ignore) from
> someone (me) deeply enmeshed in email security and DNSSEC:

Thanks, Viktor!

>     * Don't use qname minimization with validating MTA-facing resolvers.
>     * Instead run a *local* resolver.  The cache on that resolver will
>       do all the qname minimization you can get.

I do run a local recursor, so yeah, I see what you mean.  However, it
turns out that I need to turn off DNSSEC validation, too, to get the
recursor to accept the name servers from Ultradns; their mishandling of
those ENTs trips up the validation, which fails.

A quick exchange on the PowerDNS IRC channel (I'm using their most
excellent software) helped me understand what was going on, and I ended
up configuring my recursor to avoid querying the Ultradns name servers.
That leaves only two functioning authoritative name servers for the
paypal.com subtree as seen from here, but any temporary reachability
problems with those will only mean my mail from them will be delayed,
and not lost, as is the case with the Ultradns servers in the mix.

As for other domains with similar problems, that I might receive email
from, I get daily status reports from my MTA, highlighting this sort of
trouble.  If another such situation arises, I'll be alerted.

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay


More information about the dns-operations mailing list