[dns-operations] Anyone with contacts at Paypal and/or Ultradns?
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Dec 28 17:59:34 UTC 2019
On Sat, Dec 28, 2019 at 04:47:27PM +0000, Matt Nordhoff wrote:
> It looks like this is a more widespread Neustar issue. A domain using
> Namecheap's DNS service -- which now outsources the DNS servers to
> Neustar -- ran into the same issue.
The nameservers in question are:
nexoya.io. IN NS dns1.registrar-servers.com.
nexoya.io. IN NS dns2.registrar-servers.com.
Another domain served by the same is:
sparkblocs.com. IN NS dns1.registrar-servers.com.
sparkblocs.com. IN NS dns2.registrar-servers.com.
here, there's an issue with the RRSIG on the wildcard CNAME record
(signature fails to verify):
https://dnsviz.net/d/_25._tcp.sparkblocs.com/dnssec/
https://dnsviz.net/d/%2A.sparkblocs.com/dnssec/
> Namecheap and PayPal could still be using the same software at another
> point in their stacks, but it seems more likely that the problem is on
> Neustar's end.
Again not clear whether the zone is signed by Neustar, or they're just serving
a replica that was incorrectly signed elsewhere.
--
Viktor.
More information about the dns-operations
mailing list