[dns-operations] Anyone with contacts at Paypal and/or Ultradns?

Matt Nordhoff lists at mn0.us
Sat Dec 28 16:47:27 UTC 2019


On Wed, Dec 11, 2019 at 6:47 AM Tom Ivar Helbekkmo via dns-operations
<dns-operations at dns-oarc.net> wrote:
> Mail from Paypal to me is failing, hard, because I run a resolver with
> DNSSEC verification and qname minimization, and an MTA that implements
> DMARC.  Out of the four name servers they've got configured, the two at
> Ultradns are mishandling empty non-terminals.  I get SERVFAIL responses
> for slc.paypal.com and _domainkey.paypal.com, both of which are needed
> for email, because their MTAs are under the former, and their DKIM keys
> under the latter.
>
> The problems are visible using dnsviz:
>
> https://dnsviz.net/d/slc.paypal.com/dnssec/
> https://dnsviz.net/d/_domainkey.paypal.com/dnssec/
>
> I've tried writing to hostmaster at paypal.com about this, but have
> received no response.
>
> -tih

It looks like this is a more widespread Neustar issue. A domain using
Namecheap's DNS service -- which now outsources the DNS servers to
Neustar -- ran into the same issue.

<https://community.letsencrypt.org/t/dns-problem-servfail-looking-up-caa-solved/109397>
<https://mn0.us/SCfQ>

They have since 'solved' the problem by adding a TXT record so that
their empty non-terminal isn't empty anymore, but there's a dig
showing the issue in the thread.

Going by the RRSIG inception and expiration periods, Namecheap is
using PowerDNS as a signer, and PayPal is using something else.
Namecheap and PayPal could still be using the same software at another
point in their stacks, but it seems more likely that the problem is on
Neustar's end.
-- 
Matt Nordhoff


More information about the dns-operations mailing list