From: Robert Bradley <robert.bradley1@gmail.com>
To: Dave Taht <dave.taht@gmail.com>
Cc: "cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] cerowrt-3.10.36-4 released
Date: Fri, 11 Apr 2014 13:34:05 +0100 [thread overview]
Message-ID: <5347E13D.5090501@gmail.com> (raw)
In-Reply-To: <CAA93jw7-2sbUjJarP-_fkdrXa1+ZqnUVB3LqSJr6isrwuG1EwQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3271 bytes --]
On 10/04/2014 18:29, Dave Taht wrote:
> On Thu, Apr 10, 2014 at 8:18 AM, Robert Bradley
> <robert.bradley1@gmail.com> wrote:
>> On 10/04/2014 15:32, Toke Høiland-Jørgensen wrote:
>>> If you add a 'scope link' route on the wan interface, the BCP38 code
>>> *should* pick this up automatically and add an exception. Would be cool
>>> if you could test this :)
>> Just tested this now and it works fine. :)
> How did you add scope link?
I added the route via Luci's web interface for it (Network/Static
Routes), using interface ge00 and target 192.168.100.1. The other
settings were left at their defaults (netmask 255.255.255.255, gateway
blank, metric 0, MTU=1500). I verified it via SSH and "ip -4 route show".
The command line equivalent to the resulting route would be "ip route
add 192.168.100.1 dev ge00 proto static" with or without an explicit
"scope link" appended.
> As if working around the time problem was not headache enough...
>
> I note that until now the dnssec implementation was NOT doing negative
> proofs (proofs of non-existence of a signature), as I added
> dnssec-check-unsigned
> to /etc/dnsmasq.conf in this release.
>
> dnssec
> dnssec-check-unsigned
>
> I do forsee this (and dnssec in general) causing massive problems in
> environments
> that muck with dns. I have no idea as to how prevalent this problem is.
>
> I'd like for it to not fail silently, but fall back to non-dnssec behavior
> in some way that gives the user a chance to figure out why their
> network isn't working
> and who to point a finger at.
>
> Automagically falling back to 8.8.8.8 doesn't bother me much, except in places
> where that is blocked too.
>
> Anyway.
>
> 1) You can specify your dns servers in /etc/config/network, and disable fetching
> your providers's addresses via adding
>
> option 'dns' '8.8.8.8 4.4.4.4'
> option 'peerdns' '0'
>
> to the ge00 declaration. This will do the right thing to resolv.conf.auto.
I tested that just now and it's working well with no resolv.conf funny
business. On the benchmarking side, it's not a good quantitative result
but the resolution latency via Google DNS doesn't feel that much slower
than the non-validated ISP results. Using dig to pull A records for the
RIR websites, I noticed that validation seems to increase the uncached
query time up to 10-fold compared to a similar +cdflag query, but is
very much distance-dependent. For example, www.arin.net went from 27ms
to 210ms, but the ping RTT to their name servers is:
u.arin.net: 25ms
v.arin.net: 30ms
ns1.arin.net: 100ms
ns2.arin.net: 160ms
> Another thing the above is useful for if you have working ipv6 via
> dhcppd, you will
> get the ipv6 dns servers from upstream and use those only.... (otherwise dnsmasq
> will choose the "best" upstream and generally chooses the ipv4 one)
>
> 2) Alternatively, you can disable dnssec by commenting it out in
> /etc/dnsmasq.conf
I found that just disabling the dnssec-check-unsigned line is enough to
get DNS working again.
> 3) Of course, I advocate pestering your provider to enable dnssec, (and ipv6)
> also.
I agree, but I'm not expecting any rush for the major ISPs here to
support either!
--
Robert Bradley
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 899 bytes --]
next prev parent reply other threads:[~2014-04-11 12:34 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-10 6:45 Dave Taht
2014-04-10 6:46 ` Dave Taht
2014-04-10 17:33 ` Dave Taht
2014-04-11 18:25 ` Jim Gettys
2014-04-10 13:48 ` Valdis.Kletnieks
2014-04-10 14:06 ` Robert Bradley
2014-04-10 14:32 ` Toke Høiland-Jørgensen
2014-04-10 15:18 ` Robert Bradley
2014-04-10 15:21 ` Toke Høiland-Jørgensen
2014-04-10 17:29 ` Dave Taht
2014-04-10 17:57 ` Toke Høiland-Jørgensen
2014-04-10 19:06 ` Sebastian Moeller
2014-04-11 12:34 ` Robert Bradley [this message]
2014-04-10 16:40 ` Valdis.Kletnieks
2014-04-10 16:48 ` Toke Høiland-Jørgensen
2014-04-10 16:51 ` Valdis.Kletnieks
2014-04-10 16:54 ` Toke Høiland-Jørgensen
2014-04-10 18:02 ` Sebastian Moeller
2014-04-13 0:22 ` Jim Reisert AD1C
2014-04-13 0:30 ` Sebastian Moeller
2014-04-13 0:44 ` Jim Reisert AD1C
2014-04-10 16:46 ` Jim Gettys
2014-04-10 17:31 ` Dave Taht
2014-04-10 17:35 ` Jim Gettys
2014-04-11 9:50 ` David Personette
2014-04-11 10:43 ` Aaron Wood
2014-04-12 11:45 ` Neil Shepperd
2014-04-12 19:04 ` Dave Taht
[not found] ` <CANp2as81TR_kCR8a_sZs045tXFGADL1W4CFtNEJiJrjutmL7cg@mail.gmail.com>
2014-04-11 16:31 ` Dave Taht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5347E13D.5090501@gmail.com \
--to=robert.bradley1@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=dave.taht@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox