From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp105.iad3a.emailsrvr.com (smtp105.iad3a.emailsrvr.com [173.203.187.105]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 4E1CD21F27D for ; Sat, 26 Apr 2014 09:00:14 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp6.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id AA3441A80C6; Sat, 26 Apr 2014 12:00:12 -0400 (EDT) X-Virus-Scanned: OK Received: from app32.wa-webapps.iad3a (relay.iad3a.rsapps.net [172.27.255.110]) by smtp6.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 73FF91A80B6; Sat, 26 Apr 2014 12:00:12 -0400 (EDT) Received: from reed.com (localhost.localdomain [127.0.0.1]) by app32.wa-webapps.iad3a (Postfix) with ESMTP id 59DCF280058; Sat, 26 Apr 2014 12:00:12 -0400 (EDT) Received: by apps.rackspace.com (Authenticated sender: dpreed@reed.com, from: dpreed@reed.com) with HTTP; Sat, 26 Apr 2014 12:00:12 -0400 (EDT) Date: Sat, 26 Apr 2014 12:00:12 -0400 (EDT) From: dpreed@reed.com To: "Aaron Wood" MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_20140426120012000000_55507" Importance: Normal X-Priority: 3 (Normal) X-Type: html In-Reply-To: References: Message-ID: <1398528012.36628423@apps.rackspace.com> X-Mailer: webmail7.0 Cc: dnsmasq-discuss , cerowrt-devel Subject: Re: [Cerowrt-devel] Had to disable dnssec today X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2014 16:00:14 -0000 ------=_20140426120012000000_55507 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =0AIs this just a dnsmasq issue or is the DNSSEC mechanism broken at these = sites? If it is the latter, I can get attention from executives at some o= f these companies (Heartbleed has sensitized all kinds of companies to the = need to strengthen security infrastructure).=0A =0AIf the former, the chang= e process is going to be more tricky, because dnsmasq is easily dismissed a= s too small a proportion of the market to care. (wish it were not so).=0A= =0A=0AOn Saturday, April 26, 2014 7:38am, "Aaron Wood" = said:=0A=0A=0A=0AJust too many sites aren't working correctly with dnsmasq = and using Google's DNS servers.=0A- Bank of America ([http://sso-fi.bankofa= merica.com] sso-fi.bankofamerica.com)=0A- Weather Underground ([http://cdnj= s.cloudflare.com] cdnjs.cloudflare.com)=0A- Akamai ([http://e3191.dscc.akam= aiedge.net.0.1.cn.akamaiedge.net] e3191.dscc.akamaiedge.net.0.1.cn.akamaied= ge.net)=0AAnd I'm not getting any traction with reporting the errors to tho= se sites, so it's frustrating in getting it properly fixed.=0AWhile Akamai = and cloudflare appear to be issues with their entries in google dns, or wit= h dnsmasq's validation of them being insecure domains, the BofA issue appea= rs to be an outright bad key. And BofA isn't being helpful (just a continu= al "we use ssl" sort of quasi-automated response).=0ASo I'm disabling it fo= r now, or rather, falling back to using my ISP's dns servers, which don't s= upport DNSSEC at this time. I'll be periodically turning it back on, but t= oo much is broken (mainly due to the cdns) to be able to rely on it at this= time.=0A-Aaron ------=_20140426120012000000_55507 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Is this ju= st a dnsmasq issue or is the DNSSEC mechanism broken at these sites?  = If it is the latter, I can get attention from executives at some of these = companies (Heartbleed has sensitized all kinds of companies to the need to = strengthen security infrastructure).

=0A

 

=0A

If the former, the change pr= ocess is going to be more tricky, because dnsmasq is easily dismissed as to= o small a proportion of the market to care.  (wish it were not so).=0A=0A



On Saturday, April 26, 2014 7:38am= , "Aaron Wood" <woody77@gmail.com> said:

=0A
=0A
Just too many sites aren't worki= ng correctly with dnsmasq and using Google's DNS servers.=0A
- Bank of = America (sso-fi.bankofamerica.c= om)
=0A
- Weather Underground (cdnjs.cloudflare.com)
=0A=0A
And I'm not getting any traction w= ith reporting the errors to those sites, so it's frustrating in getting it = properly fixed.
=0A
While Akamai and cloudflare appear to be issue= s with their entries in google dns, or with dnsmasq's validation of them be= ing insecure domains, the BofA issue appears to be an outright bad key. &nb= sp;And BofA isn't being helpful (just a continual "we use ssl" sort of quas= i-automated response).
=0A
So I'm disabling it for now, or rather,= falling back to using my ISP's dns servers, which don't support DNSSEC at = this time.  I'll be periodically turning it back on, but too much is b= roken (mainly due to the cdns) to be able to rely on it at this time.
= =0A
-Aaron
=0A
=0A
 ------=_20140426120012000000_55507--