From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id BF27021F298 for ; Sat, 12 Apr 2014 04:07:16 -0700 (PDT) Received: by mail-wg0-f46.google.com with SMTP id b13so6439794wgh.29 for ; Sat, 12 Apr 2014 04:07:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=FROcUCJcckADBTajPhmzF8AVx/qmEF8vvIBZNthBi8I=; b=Iyxc+VyOlyqsRjYpGMnXAXhHAdSAyIICqZIa03TTteWhTwVvVnVOtzAyKx/crajOaQ E/g42b4n2D++9SoVtJeBJSPiJt+3TJ/oX4iyHH9BZxzFcl+b0b2FG/SnN+Lz0QijD21/ dqcZ2Ek82dGDVCbxelPY/TTDXG4ukjao+iupxlY8bATvZR2DTojclbnvKJamNMW4gJKh Ge/CK8rRW5TH1FsV/+S6tae5nyWG6DX/zpXV88Abujcc+yS9DANFM2U3y5KZe8xka/Cj b/gXns+LsWhL+5qq2nT62MzJPBQmj6i0Imb3cNeLgtfUln270deJrYG4MNbhwbpnjk6E cerA== X-Received: by 10.180.8.40 with SMTP id o8mr2110376wia.25.1397300833955; Sat, 12 Apr 2014 04:07:13 -0700 (PDT) Received: from ?IPv6:2001:470:6aac:1:49b4:b6e0:2511:c7e7? ([2001:470:6aac:1:49b4:b6e0:2511:c7e7]) by mx.google.com with ESMTPSA id f1sm9991390wic.19.2014.04.12.04.07.12 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 12 Apr 2014 04:07:12 -0700 (PDT) Message-ID: <53491E4F.4040108@gmail.com> Date: Sat, 12 Apr 2014 12:06:55 +0100 From: Robert Bradley User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: cerowrt-devel X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IkhbdTwPNJChJ41TuiQL8H6mxH6Wfgxh3" Subject: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2014 11:07:17 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --IkhbdTwPNJChJ41TuiQL8H6mxH6Wfgxh3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I noticed today that attempts to visit www.cloudflare.com and other subdomains seem to be failing on the latest CeroWRT (3.10.36-4) when DNSSEC checks are enabled, but not if I query Google DNS directly. The resulting queries are: root@cerowrt:~# dig www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> www.cloudflare.com A IN ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23776 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; Query time: 808 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Apr 12 11:04:10 UTC 2014 ;; MSG SIZE rcvd: 47 root@cerowrt:~# dig +adflag www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> +adflag www.cloudflare.com A IN ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3689 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; Query time: 913 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Apr 12 11:04:21 UTC 2014 ;; MSG SIZE rcvd: 47 root@cerowrt:~# dig +cdflag www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> +cdflag www.cloudflare.com A IN ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19768 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; ANSWER SECTION: www.cloudflare.com. 297 IN CNAME www.cloudflare.com.cdn.cl= oudflare.net. www.cloudflare.com.cdn.cloudflare.net. 297 IN CNAME cf-ssl2463-protected-= www.cloudflare.com.cdn.cloudflare.net. cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 297 IN A 198.= 41.212.157 cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 297 IN A 198.= 41.213.157 ;; Query time: 22 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Apr 12 11:04:26 UTC 2014 ;; MSG SIZE rcvd: 169 root@cerowrt:~# dig @8.8.8.8 www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> @8.8.8.8 www.cloudflare.com A IN ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31488 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; ANSWER SECTION: www.cloudflare.com. 84 IN CNAME www.cloudflare.com.cdn.cl= oudflare.net. www.cloudflare.com.cdn.cloudflare.net. 166 IN CNAME cf-ssl2463-protected-= www.cloudflare.com.cdn.cloudflare.net. cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 166 IN A 198.= 41.213.157 cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 166 IN A 198.= 41.212.157 ;; Query time: 22 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Apr 12 11:04:35 UTC 2014 ;; MSG SIZE rcvd: 169 root@cerowrt:~# dig @8.8.8.8 +adflag www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> @8.8.8.8 +adflag www.cloudflare.com A IN ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59486 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; ANSWER SECTION: www.cloudflare.com. 77 IN CNAME www.cloudflare.com.cdn.cl= oudflare.net. www.cloudflare.com.cdn.cloudflare.net. 159 IN CNAME cf-ssl2463-protected-= www.cloudflare.com.cdn.cloudflare.net. cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 159 IN A 198.= 41.213.157 cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 159 IN A 198.= 41.212.157 ;; Query time: 22 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Apr 12 11:04:41 UTC 2014 ;; MSG SIZE rcvd: 169 root@cerowrt:~# dig @8.8.8.8 +cdflag www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> @8.8.8.8 +cdflag www.cloudflare.com A IN ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43503 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; ANSWER SECTION: www.cloudflare.com. 69 IN CNAME www.cloudflare.com.cdn.cl= oudflare.net. www.cloudflare.com.cdn.cloudflare.net. 151 IN CNAME cf-ssl2463-protected-= www.cloudflare.com.cdn.cloudflare.net. cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 151 IN A 198.= 41.213.157 cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 151 IN A 198.= 41.212.157 ;; Query time: 26 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Apr 12 11:04:48 UTC 2014 ;; MSG SIZE rcvd: 169 root@cerowrt:~# Can anyone explain why this should be the case? --=20 Robert Bradley --IkhbdTwPNJChJ41TuiQL8H6mxH6Wfgxh3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTSR5eAAoJEGK/UXZZ8Ak6OcsQAI6fjjzYL6S2audM6Abai8u0 qG+uzUcslpDJy8t8DASEFbN2FcHq0gYN9XJKuEHy4QabZxyekhrt9YByL23d9vjJ OwKDpRQtMVxY/G7y4M0VD4SuyxoJQBEzPYE3k0EhuI+yP0JJjvNDvdZ5IABwOCX0 Bp+RXY3Duj9cG1ToD1EWUqJwWz5qmk9ha0p65FgLfACxQVjAlfpTB+5SPv5btnId kT796dA1xZ2Blb3RGAsI7f1fYruz3rQ3A5IyuBhKL6mB86Y4YeqIOujZpKdyRbIp rpRqDGiHxeDyIVlCVRialaQAc9oSRr9bRRQrOaNcVqM7L5RXLnGvyPq3nSC1JoUc q1UmwKqYz+9tqQi7dX1jJeVMeHxljRBZWA/MDuxNiNWqN7/ccD2USKZTj4jU0HbP HrS4LArg+iEnqaY+f3CdrdzH0szdUgc9CFAg6YkNqpvH+0gDHfo4KX7Ge/Pfi6a7 HyU6G65zgwi15TKuj+YtpQuvcnZ61wivTtUS0VampJijrKsbye/I6HcLsekyDNrL UNMXDn7vPlrfQXyR4TmAqqwhcgJwncs+Rnus9B4/ANVAYAlbrojus+pju8U4DHIH ekDMFY31KE0X0hIOxu/b8H/SEnav40KOAYJ5s67VKqAOcrncDKG4OnZV2UQZLRxl 01YOHbJrN4J3GXkUiGiE =6zjf -----END PGP SIGNATURE----- --IkhbdTwPNJChJ41TuiQL8H6mxH6Wfgxh3--