On 12/04/2014 12:11, Toke Høiland-Jørgensen wrote: > Robert Bradley writes: > >> Can anyone explain why this should be the case? > If you turn on log-queries in the dnsmasq config, you can see the > results of the dnssec validation in the logs which might give a hint :) > > -Toke OK, with log-queries on I get: Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: query[A] www.cloudflare.com from 127.0.0.1 Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: forwarded www.cloudflare.com to 8.8.4.4 Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: dnssec-query[DS] www.cloudflare.com to 8.8.4.4 Sat Apr 12 11:41:51 2014 daemon.info dnsmasq[14581]: forwarded www.cloudflare.com to 8.8.8.8 Sat Apr 12 11:41:51 2014 daemon.info dnsmasq[14581]: forwarded www.cloudflare.com to 8.8.4.4 Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply www.cloudflare.com is BOGUS DS Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: validation result is BOGUS Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply www.cloudflare.com is Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply www.cloudflare.com.cdn.cloudflare.net is Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net is 198.41.213.157 Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net is 198.41.212.157 Running tcpdump -i ge00 port 53 -v -v -n during a query from Windows 7 nslookup, I see: 11:44:44.884477 IP (tos 0x90, ttl 64, id 16465, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.44272 > 8.8.8.8.53: [udp sum ok] 20890+ [1au] A? www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47) 11:44:44.884652 IP (tos 0x90, ttl 64, id 26115, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.44272 > 8.8.4.4.53: [udp sum ok] 20890+ [1au] A? www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47) 11:44:44.904068 IP (tos 0x0, ttl 47, id 47459, offset 0, flags [none], proto UDP (17), length 197) 8.8.8.8.53 > 86.1.32.208.44272: [udp sum ok] 20890 q: A? www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME www.cloudflare.com.cdn.cloudflare.net., www.cloudflare.com.cdn.cloudflare.net. CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net., cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A 198.41.212.157, cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A 198.41.213.157 ar: . OPT UDPsize=512 OK (169) 11:44:44.904120 IP (tos 0x0, ttl 45, id 57740, offset 0, flags [none], proto UDP (17), length 197) 8.8.4.4.53 > 86.1.32.208.44272: [udp sum ok] 20890 q: A? www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME www.cloudflare.com.cdn.cloudflare.net., www.cloudflare.com.cdn.cloudflare.net. CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net., cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A 198.41.212.157, cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A 198.41.213.157 ar: . OPT UDPsize=512 OK (169) 11:44:44.904720 IP (tos 0x90, ttl 64, id 16466, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.60232 > 8.8.8.8.53: [udp sum ok] 43145+ [1au] DS? www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47) 11:44:45.430963 IP (tos 0x0, ttl 49, id 13829, offset 0, flags [none], proto UDP (17), length 75) 8.8.8.8.53 > 86.1.32.208.60232: [udp sum ok] 43145 ServFail q: DS? www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=512 OK (47) 11:44:45.434094 IP (tos 0x90, ttl 64, id 16467, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.27765 > 8.8.8.8.53: [udp sum ok] 6810+ [1au] AAAA? www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47) 11:44:45.455145 IP (tos 0x0, ttl 47, id 13830, offset 0, flags [none], proto UDP (17), length 221) 8.8.8.8.53 > 86.1.32.208.27765: [udp sum ok] 6810 q: AAAA? www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME www.cloudflare.com.cdn.cloudflare.net., www.cloudflare.com.cdn.cloudflare.net. CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net., cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. AAAA 2400:cb00:2048:1::c629:d59d, cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. AAAA 2400:cb00:2048:1::c629:d49d ar: . OPT UDPsize=512 OK (193) 11:44:45.455845 IP (tos 0x90, ttl 64, id 16468, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.63524 > 8.8.8.8.53: [udp sum ok] 37758+ [1au] DS? www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47) 11:44:45.895583 IP (tos 0x0, ttl 47, id 16395, offset 0, flags [none], proto UDP (17), length 75) 8.8.8.8.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS? www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=512 OK (47) 11:44:45.896049 IP (tos 0x90, ttl 64, id 26116, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.63524 > 8.8.4.4.53: [udp sum ok] 37758+ [b2&3=0x182] [1au] DS? www.cloudflare.com. ar: . OPT UDPsize=512 OK (47) 11:44:45.896242 IP (tos 0x90, ttl 64, id 16469, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.63524 > 8.8.8.8.53: [udp sum ok] 37758+ [b2&3=0x182] [1au] DS? www.cloudflare.com. ar: . OPT UDPsize=512 OK (47) 11:44:46.335616 IP (tos 0x0, ttl 46, id 44525, offset 0, flags [none], proto UDP (17), length 75) 8.8.4.4.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS? www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=512 OK (47) 11:44:46.341564 IP (tos 0x0, ttl 47, id 47460, offset 0, flags [none], proto UDP (17), length 75) 8.8.8.8.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS? www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=512 OK (47) That seems to suggest that it's the DS queries that are failing and that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com) seems to suggest that their nameservers refuse requests for DNSKEY records. -- Robert Bradley