[dns-operations] Anyone with contacts at Paypal and/or Ultradns?

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Dec 28 17:59:34 UTC 2019


On Sat, Dec 28, 2019 at 04:47:27PM +0000, Matt Nordhoff wrote:

> It looks like this is a more widespread Neustar issue. A domain using
> Namecheap's DNS service -- which now outsources the DNS servers to
> Neustar -- ran into the same issue.

The nameservers in question are:

    nexoya.io. IN NS dns1.registrar-servers.com.
    nexoya.io. IN NS dns2.registrar-servers.com.

Another domain served by the same is:

    sparkblocs.com. IN NS dns1.registrar-servers.com.
    sparkblocs.com. IN NS dns2.registrar-servers.com.

here, there's an issue with the RRSIG on the wildcard CNAME record
(signature fails to verify):

    https://dnsviz.net/d/_25._tcp.sparkblocs.com/dnssec/
    https://dnsviz.net/d/%2A.sparkblocs.com/dnssec/

> Namecheap and PayPal could still be using the same software at another
> point in their stacks, but it seems more likely that the problem is on
> Neustar's end.

Again not clear whether the zone is signed by Neustar, or they're just serving
a replica that was incorrectly signed elsewhere.

-- 
    Viktor.


More information about the dns-operations mailing list