From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pb0-f50.google.com (mail-pb0-f50.google.com [209.85.160.50]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id BA4A621F3A3 for ; Fri, 16 May 2014 20:25:03 -0700 (PDT) Received: by mail-pb0-f50.google.com with SMTP id ma3so3379307pbc.37 for ; Fri, 16 May 2014 20:25:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-type:content-transfer-encoding; bh=wovT+YqgjPFF88n2TMC2yASYUBwLCZGon+URGPREVKg=; b=hxnyEWqPNldqYVayA77XwEB472YLHGRm8LCjFj4OnKBQhN9moCjBE48xuklAmIqOJa Yv+IaYlto316f2sfh/ecNxYS21lX5hYemGLRuuxziN2QBs5cxSCPo3crOrTtaz/mlXMI EAmSmXj3JP5L10ah2E5Tb1mGYdKhDp7Wd2b9f6kX59tKYABn/IFNkmo3OYfi87nUZ4wc ZMDyMOvJIBCNohNAh2YYpVppT9OtF75Sqb9f1plkjjF8Zf+SY6+eqhsdEfxign3byTEP mYB3BM6ubBtXsCoJtpOn/cQxzKPqlBcARfhrTtpMDbG1cZEnUlfcaNkYDEnul6YspmlB 54gg== X-Gm-Message-State: ALoCoQlIQ4lHGJy1etml9ZkDcgwZ4xPPgDOEp3jn+DKj18T6PfW9WbnuxlxquuWKQwy5rVD+ZyWw X-Received: by 10.67.1.39 with SMTP id bd7mr26089679pad.15.1400297103142; Fri, 16 May 2014 20:25:03 -0700 (PDT) Received: from nehalam.linuxnetplumber.net (static-50-53-83-51.bvtn.or.frontiernet.net. [50.53.83.51]) by mx.google.com with ESMTPSA id dd5sm17181907pbc.85.2014.05.16.20.25.02 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Fri, 16 May 2014 20:25:02 -0700 (PDT) Date: Fri, 16 May 2014 20:25:00 -0700 From: Stephen Hemminger To: Aaron Wood Message-ID: <20140516202500.364d7912@nehalam.linuxnetplumber.net> In-Reply-To: References: X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.23; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: dnsmasq-discuss , cerowrt-devel Subject: Re: [Cerowrt-devel] Had to disable dnssec today X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 May 2014 03:25:04 -0000 On Sat, 26 Apr 2014 13:38:08 +0200 Aaron Wood wrote: > Just too many sites aren't working correctly with dnsmasq and using > Google's DNS servers. > > - Bank of America (sso-fi.bankofamerica.com) > - Weather Underground (cdnjs.cloudflare.com) > - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net) > > And I'm not getting any traction with reporting the errors to those sites, > so it's frustrating in getting it properly fixed. > > While Akamai and cloudflare appear to be issues with their entries in > google dns, or with dnsmasq's validation of them being insecure domains, > the BofA issue appears to be an outright bad key. And BofA isn't being > helpful (just a continual "we use ssl" sort of quasi-automated response). > > So I'm disabling it for now, or rather, falling back to using my ISP's dns > servers, which don't support DNSSEC at this time. I'll be periodically > turning it back on, but too much is broken (mainly due to the cdns) to be > able to rely on it at this time. > > -Aaron Ditto. I was holding out, but performance was much worse, many websites would load poorly and got complaints from many errors from my customers (family).