[dns-operations] Anyone with contacts at Paypal and/or Ultradns?

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Jan 28 10:16:34 UTC 2020


On Tue, Jan 28, 2020 at 08:48:51AM +0100, Tom Ivar Helbekkmo wrote:

> > The problems are visible using dnsviz:
> 
> ...which showed that Neustar's "UltraDNS" name servers were mishandling
> ENTs, causing trouble for resolvers that use qname minimization and/or
> do careful DNSSEC validation.  Well, no more:
> 
> > https://dnsviz.net/d/slc.paypal.com/dnssec/
> > https://dnsviz.net/d/_domainkey.paypal.com/dnssec/
> 
> The good folks at Neustar took this problem seriously.  They followed up
> my problem report diligently, and have just rolled out a new version of
> their software, with the bug fixed.

While Paypal may well be resolved, at least 408 other domains are still
not returning the requisite NSEC (or NSEC3) RRs.  For example:

    https://dnsviz.net/d/_25._tcp.sili.dev/dnssec/
    https://dnsviz.net/d/_25._tcp.e33.info/dnssec/

    - Hooray!  Algorithm 13 (P256) CSK.
    - Oops, NXDOMAIN with no NSEC!

Perhaps, in addition to the software update, zone files for the affected
domains also need to be rebuilt (to repair the NSEC chains), which may
take more time.  If so, with a bit of luck, I should see a decline in
the number of affected domains over the coming days.

-- 
    Viktor.



More information about the dns-operations mailing list