From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id A343221F28A for ; Fri, 11 Apr 2014 05:34:25 -0700 (PDT) Received: by mail-wi0-f180.google.com with SMTP id q5so919654wiv.7 for ; Fri, 11 Apr 2014 05:34:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=CbUQPamiOQ7yhC9TsbT4GFwHYEK1U9mjj0OTuBrllMs=; b=kw2Gg9cY4Krm2uS8cH/Z41Klk4xX8NJlfhxoN87JdlE95e7pbF0tX6mvxJe3Fjuy/7 2Qumvhw0dPulGgHNt+G5ShVVwyMY//iMH9dpUlMFuacXk6ycDJvZ/RbSmfEbI3XbPHUW gAvG3nHWa54JDIh9DxVxApMrUUHHMHaPZUSYIRvAK5gdatbHtRv5I4UCRsLfToXKH13N RJhyZjl9hbFitjFd+pUCl8A8yq5o0F0J5hGPmBAG1JbmMKcoD1cTDdiydbCf7Xby0Vnz UJecu2CMVoSOYlaT9oWxb32yONqAVh+NQ5+pAKUcNIFOwXzD+2XW4oL7mVKHa1zoiW9+ 1vCA== X-Received: by 10.180.104.161 with SMTP id gf1mr3390170wib.38.1397219663372; Fri, 11 Apr 2014 05:34:23 -0700 (PDT) Received: from ?IPv6:2001:470:6aac:1:49b3:b573:5632:e80e? ([2001:470:6aac:1:49b3:b573:5632:e80e]) by mx.google.com with ESMTPSA id dg5sm4244544wib.12.2014.04.11.05.34.21 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 11 Apr 2014 05:34:22 -0700 (PDT) Message-ID: <5347E13D.5090501@gmail.com> Date: Fri, 11 Apr 2014 13:34:05 +0100 From: Robert Bradley User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Dave Taht References: <85984.1397137700@turing-police.cc.vt.edu> <5346A561.30901@gmail.com> <87sipll0fh.fsf@toke.dk> <5346B650.5040200@gmail.com> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7nxJ5pIWvmFqsAMnRxh6QsrXvPulmxBOc" Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] cerowrt-3.10.36-4 released X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2014 12:34:26 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --7nxJ5pIWvmFqsAMnRxh6QsrXvPulmxBOc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 10/04/2014 18:29, Dave Taht wrote: > On Thu, Apr 10, 2014 at 8:18 AM, Robert Bradley > wrote: >> On 10/04/2014 15:32, Toke H=C3=B8iland-J=C3=B8rgensen wrote: >>> If you add a 'scope link' route on the wan interface, the BCP38 code >>> *should* pick this up automatically and add an exception. Would be co= ol >>> if you could test this :) >> Just tested this now and it works fine. :) > How did you add scope link? I added the route via Luci's web interface for it (Network/Static Routes), using interface ge00 and target 192.168.100.1. The other settings were left at their defaults (netmask 255.255.255.255, gateway blank, metric 0, MTU=3D1500). I verified it via SSH and "ip -4 route sho= w". The command line equivalent to the resulting route would be "ip route add 192.168.100.1 dev ge00 proto static" with or without an explicit "scope link" appended. > As if working around the time problem was not headache enough... > > I note that until now the dnssec implementation was NOT doing negative > proofs (proofs of non-existence of a signature), as I added > dnssec-check-unsigned > to /etc/dnsmasq.conf in this release. > > dnssec > dnssec-check-unsigned > > I do forsee this (and dnssec in general) causing massive problems in > environments > that muck with dns. I have no idea as to how prevalent this problem is.= > > I'd like for it to not fail silently, but fall back to non-dnssec behav= ior > in some way that gives the user a chance to figure out why their > network isn't working > and who to point a finger at. > > Automagically falling back to 8.8.8.8 doesn't bother me much, except in= places > where that is blocked too. > > Anyway. > > 1) You can specify your dns servers in /etc/config/network, and disable= fetching > your providers's addresses via adding > > option 'dns' '8.8.8.8 4.4.4.4' > option 'peerdns' '0' > > to the ge00 declaration. This will do the right thing to resolv.conf.au= to. I tested that just now and it's working well with no resolv.conf funny business. On the benchmarking side, it's not a good quantitative result but the resolution latency via Google DNS doesn't feel that much slower than the non-validated ISP results. Using dig to pull A records for the RIR websites, I noticed that validation seems to increase the uncached query time up to 10-fold compared to a similar +cdflag query, but is very much distance-dependent. For example, www.arin.net went from 27ms to 210ms, but the ping RTT to their name servers is: u.arin.net: 25ms v.arin.net: 30ms ns1.arin.net: 100ms ns2.arin.net: 160ms > Another thing the above is useful for if you have working ipv6 via > dhcppd, you will > get the ipv6 dns servers from upstream and use those only.... (otherwis= e dnsmasq > will choose the "best" upstream and generally chooses the ipv4 one) > > 2) Alternatively, you can disable dnssec by commenting it out in > /etc/dnsmasq.conf I found that just disabling the dnssec-check-unsigned line is enough to get DNS working again. > 3) Of course, I advocate pestering your provider to enable dnssec, (and= ipv6) > also. I agree, but I'm not expecting any rush for the major ISPs here to support either! --=20 Robert Bradley --7nxJ5pIWvmFqsAMnRxh6QsrXvPulmxBOc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTR+FMAAoJEGK/UXZZ8Ak6jKoP/0e5962qJcNrx1blmFgB7qJ0 wva7FbN2u3JBPQvV/rtDZt2YBk3PWhYGv1HliHRLwvgt4Xzwzq3u3It/4QzGcMqH wwqvu9AxFUuDeW81YfnxOUlvRHL0EtmlxDYx7QIjli8LGKgN+captDsgBB9IGJyR UYI23AnBzhKe4D9JOZ1Aav/qwj9ZK7I7CBxJytm7fY2b2SRti/na1tRYutiTtFp0 eaV4dR8NfsXprqN6Q3Yz5xOWQo0okaMqk2JWhSnjdpbTZUhguMzTtnStmHl/Yqz9 aPCKiV92EqxJvQEKxRcz1egShR8WSofsYPV+tBCCa0NGZ+afaXfV0ApXcN2/EJ5K lir/qAgMPEdO90Zms30sQ83rxGPOcmZ/Sn+QMLybLT9iipdcUhceM3vnGHDcbFH0 MVtKVbVfxy4PzhXbQJ8CMDa4EWuBnzEjdJzj5sZ1JM7SVYZkDjj0RlaTH2AjHa1Y x+IEzyzoF/PMOppfTI309/YuF8tmhXuInziXDNB8W3P4hGHPGGeh2tsqC2EsiB2E k7zNHXWqQK+s98CXu42XZpAcxvNgddgbbhlpasS6WfoxWtlHQQTOkuC8tU/Z4sNG CnHhB12BT2uV+cJL3v4ST4S+76Ys5uDyCfFnKcSIwX35npBC1eGOiLadurij9F8W XwZ90l4wncZVp8m7Bbo1 =nOG2 -----END PGP SIGNATURE----- --7nxJ5pIWvmFqsAMnRxh6QsrXvPulmxBOc--