Anyone with contacts at Paypal and/or Ultradns?

Tom Ivar Helbekkmo tih at hamartun.priv.no
Thu Dec 12 06:48:15 UTC 2019


Viktor Dukhovni <ietf-dane at dukhovni.org> writes:

> If you disable qname minimization and flush your cache, it would be
> interesting to learn what issues you still see after that, assuming
> you're willing to re-enable the ultradns servers long enough to
> perform a test.

I did that before blocking out the ultradns servers.  It still failed,
and the reason is that the PowerDNS recursor, when validating DNSSEC,
inspects each node in the tree, searching for DS records.  The error in
those particular ENTs will render them, and anything below them, bogus.

Did it again, now - here's what happens with qname minimization turned
off, but DNSSEC validation left on, and the recursor restarted:

: barsoom# ;dig -t txt 1sfdc._domainkey.paypal.com

; <<>> DiG 9.14.8 <<>> -t txt 1sfdc._domainkey.paypal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45727
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;1sfdc._domainkey.paypal.com.   IN      TXT

;; Query time: 278 msec
;; SERVER: 193.71.27.8#53(193.71.27.8)
;; WHEN: Thu Dec 12 07:34:12 CET 2019
;; MSG SIZE  rcvd: 56

the recursor, meanwhile logs this:

Dec 12 07:34:12 barsoom pdns_recursor[846]: Answer to 1sfdc._domainkey.paypal.com|TXT for 127.0.0.1:52836 validates as Bogus

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay


More information about the dns-operations mailing list