Why does www.paypal.com resolve when it has DNSSEC errors?

[tha...@gmail.com]

Recently our local dns caching server stopped resolving www.paypal.com due to what appears to be issues with DNSSEC validation.  When checking this with http://dnsviz.net/d/www.paypal.com/dnssec/ (png attached), the following errors are listed.

• a.akamaiedge.net zone: The server(s) were not responsive to queries over TCP. (23.3.10.153, 23.3.10.156, 23.61.198.49, 23.61.198.50, 23.61.198.51, 23.61.198.52, 23.61.198.53, 23.61.198.54, 23.61.198.55, 23.61.198.56, 23.62.229.4, 23.62.229.5, 23.62.229.6, 23.62.229.7, 23.62.229.8, 23.62.229.9, 23.62.229.10, 23.62.229.11, 63.141.195.109, 63.141.195.110, 77.67.87.4, 77.67.87.5, 77.67.87.6, 77.67.87.7, 77.67.87.12, 77.67.87.13, 77.67.87.14, 77.67.87.15, 88.221.81.192, 88.221.81.193, 88.221.81.194, 88.221.81.195, 96.17.144.40, 96.17.144.42, 96.17.144.43, 96.17.144.44, 96.17.144.45, 96.17.144.46, 96.17.144.47, 2600:1406:1c:f000:9028::, 2600:1406:1c:f000:902b::, 2600:1480:e800::c0)
• akamaiedge.net to a.akamaiedge.net: No delegation NS records were detected in the parent zone (akamaiedge.net). This results in an NXDOMAIN response to a DS query (for DNSSEC), even if the parent servers are authoritative for the child. (2.16.40.192, 2.22.230.194, 23.61.199.194, 23.211.61.192, 23.211.132.192, 84.53.139.194, 95.100.168.194, 95.100.173.192, 95.100.174.192, 95.101.36.192, 96.7.49.194, 96.7.50.192, 184.26.161.192, 184.85.248.194, 193.108.88.1, 2600:1406:32::c2, 2600:1480:1::c2, UDP_0_EDNS0_32768_4096)
• ppdirect.paypal.com.akadns.net/CNAME: A query for ppdirect.paypal.com.akadns.net results in a NOERROR response, while a query for its ancestor, com.akadns.net, returns a name error (NXDOMAIN), which indicates that subdomains of com.akadns.net, including ppdirect.paypal.com.akadns.net, don't exist. (2.22.230.130, 23.61.199.131, 72.246.46.131, 84.53.139.129, 95.100.168.130, 95.100.173.129, 96.7.49.129, 96.7.50.128, 184.85.248.128, 193.108.88.128, UDP_0_EDNS0_32768_4096)
• wlb.paypal.com.akadns.net/CNAME: A query for wlb.paypal.com.akadns.net results in a NOERROR response, while a query for its ancestor, com.akadns.net, returns a name error (NXDOMAIN), which indicates that subdomains of com.akadns.net, including wlb.paypal.com.akadns.net, don't exist. (2.22.230.130, 23.61.199.131, 72.246.46.131, 84.53.139.129, 95.100.168.130, 95.100.173.129, 96.7.49.129, 96.7.50.128, 184.85.248.128, 193.108.88.128, UDP_0_EDNS0_32768_4096)
• www.paypal.com.akadns.net/CNAME: A query for www.paypal.com.akadns.net results in a NOERROR response, while a query for its ancestor, com.akadns.net, returns a name error (NXDOMAIN), which indicates that subdomains of com.akadns.net, including www.paypal.com.akadns.net, don't exist. (2.22.230.130, 23.61.199.131, 72.246.46.131, 84.53.139.129, 95.100.168.130, 95.100.173.129, 96.7.49.129, 96.7.50.128, 184.85.248.128, 193.108.88.128, UDP_0_EDNS0_32768_4096)
• www.paypal.com.edgekey.net/CNAME: A query for www.paypal.com.edgekey.net results in a NOERROR response, while a query for its ancestor, paypal.com.edgekey.net, returns a name error (NXDOMAIN), which indicates that subdomains of paypal.com.edgekey.net, including www.paypal.com.edgekey.net, don't exist. (2.22.230.65, 23.61.199.64, 23.74.25.65, 23.211.132.65, 23.211.133.65, 84.53.139.65, 84.53.139.66, 95.100.168.65, 95.100.173.65, 95.101.36.65, 96.7.49.65, 96.7.50.66, 184.85.248.65, 184.85.248.66, 193.108.91.2, 193.108.91.66, 2600:1401:1::41, 2600:1401:2::2, 2600:1401:2::42, 2600:1406:1b::41, UDP_0_EDNS0_32768_4096)

Our bind9/named server logs show the following:

09-Aug-2016 12:43:31.709 createfetch: www.paypal.com A

09-Aug-2016 12:43:31.721 error (broken trust chain) resolving 'www.paypal.com/A/IN': 208.78.70.57#53

...

09-Aug-2016 12:44:58.320 createfetch: t.paypal.com DS

09-Aug-2016 12:44:58.331 error (no valid RRSIG) resolving 't.paypal.com/DS/IN': 204.13.251.57#53

09-Aug-2016 12:44:58.341 error (no valid RRSIG) resolving 't.paypal.com/DS/IN': 208.78.71.57#53

09-Aug-2016 12:44:58.353 error (no valid RRSIG) resolving 't.paypal.com/DS/IN': 208.78.70.57#53

09-Aug-2016 12:44:58.388 error (no valid RRSIG) resolving 't.paypal.com/DS/IN': 204.13.250.57#53

...

The Google public DNS server seems to resolve this anyway.  I found the following statement at https://developers.google.com/speed/public-dns/faq.  

"How does Google Public DNS handle lookups which fail DNSSEC validation?

If Google Public DNS cannot validate a response (due to misconfiguration, missing or incorrect RRSIG records, etc.), it will return an error response (SERVFAIL) instead. However, if the impact is significant (e.g. a very popular domain is failing validation), we may temporarily disable validation on the zone until the problem is fixed."

Would this mean that www.paypal.com is under an exception for DNSSEC validation?  How do I know what sites are on this exception list (if that is what it is) and doesn't that break the whole point of DNSSEC? Is there a list somewhere that specifies what the Google Public DNS servers are temporarily disabling validation on?  Any help or information on this is appreciated.

thanks,

 -Tomas

[Shen Wan]

www.paypal.com is properly signed. However, the CNAME points to www.paypal.com.akadns.net, which is not signed. VerisignLab explains this in details: http://dnssec-debugger.verisignlabs.com/www.paypal.com#

Note that in this case www.paypal.com itself did not fail DNSSEC validation. And it is OK and common for a DNSSEC signed zone to have CNAME records pointing to DNSSEC unsigned zone. If PayPal wants their entire CNAME chain to be properly signed they should urge Akamai to do it.

We do not have a DNSSEC exception for www.paypal.com or akadns.net or akamaiedge.net. As our FAQ says, we only disable DNSSEC validation very occasionally and temporarily. For most domains that fail DNSSEC validation, we urge the domain owner to fix their zone/nameserver settings.