From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id A910F21F291 for ; Sat, 12 Apr 2014 04:53:47 -0700 (PDT) Received: by mail-wg0-f44.google.com with SMTP id m15so6356818wgh.3 for ; Sat, 12 Apr 2014 04:53:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=O+huNjq06t06LgHjrmiyEYjHuDz3u+KXk6c8NqOHNMo=; b=edgzTfQAwFvmHRa+adPSh+Hs9XNfUnLBvgBkxa6ZkcGrf5mRcxFyVSSbpmYsi6Waob B6P+RAAkh6vP5Nng+9k5HZZPHGh+RqUj+SMQDnEBFM42gKvPtcS1WUS5ccZSQVWZREqZ /+yad8QtTtyQGle34jqkACqW4TZ6jf9/cMs+Ca+jmmwoQLUQtnpTxZ4y4tqv/1faoI0+ EmgY+6pPXdVN1/ekoGNUfmqJ0BIKq358M5WVanj2mDvDTXIY26XsmVJRa3aHLYjLZ3tu u4w02i7PgyqL1XgQe5rT9meK3XJxf+qqWYydacWnqI4OqbQdt+/lCacHkPfSBmFnu4wU eV1Q== X-Received: by 10.194.172.38 with SMTP id az6mr2296660wjc.33.1397303625133; Sat, 12 Apr 2014 04:53:45 -0700 (PDT) Received: from ?IPv6:2001:470:6aac:1:49b4:b6e0:2511:c7e7? ([2001:470:6aac:1:49b4:b6e0:2511:c7e7]) by mx.google.com with ESMTPSA id d6sm10226160wiz.4.2014.04.12.04.53.43 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 12 Apr 2014 04:53:43 -0700 (PDT) Message-ID: <53492939.4090508@gmail.com> Date: Sat, 12 Apr 2014 12:53:29 +0100 From: Robert Bradley User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: =?UTF-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= References: <53491E4F.4040108@gmail.com> <878urakdj7.fsf@alrua-x1.kau.toke.dk> In-Reply-To: <878urakdj7.fsf@alrua-x1.kau.toke.dk> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0AjfuVWgnu7bhD7pUFwkQXHXt5LrIWnve" Cc: cerowrt-devel Subject: Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2014 11:53:48 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0AjfuVWgnu7bhD7pUFwkQXHXt5LrIWnve Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 12/04/2014 12:11, Toke H=C3=B8iland-J=C3=B8rgensen wrote: > Robert Bradley writes: > >> Can anyone explain why this should be the case? > If you turn on log-queries in the dnsmasq config, you can see the > results of the dnssec validation in the logs which might give a hint :)= > > -Toke OK, with log-queries on I get: Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: query[A] www.cloudflare.com from 127.0.0.1 Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: forwarded www.cloudflare.com to 8.8.4.4 Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: dnssec-query[DS] www.cloudflare.com to 8.8.4.4 Sat Apr 12 11:41:51 2014 daemon.info dnsmasq[14581]: forwarded www.cloudflare.com to 8.8.8.8 Sat Apr 12 11:41:51 2014 daemon.info dnsmasq[14581]: forwarded www.cloudflare.com to 8.8.4.4 Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply www.cloudflare.com is BOGUS DS Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: validation result is BOGUS Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply www.cloudflare.com is Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply www.cloudflare.com.cdn.cloudflare.net is Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net is 198.41.213.= 157 Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net is 198.41.212.= 157 Running tcpdump -i ge00 port 53 -v -v -n during a query from Windows 7 nslookup, I see: 11:44:44.884477 IP (tos 0x90, ttl 64, id 16465, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.44272 > 8.8.8.8.53: [udp sum ok] 20890+ [1au] A? www.cloudflare.com. ar: . OPT UDPsize=3D4096 OK (47) 11:44:44.884652 IP (tos 0x90, ttl 64, id 26115, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.44272 > 8.8.4.4.53: [udp sum ok] 20890+ [1au] A? www.cloudflare.com. ar: . OPT UDPsize=3D4096 OK (47) 11:44:44.904068 IP (tos 0x0, ttl 47, id 47459, offset 0, flags [none], proto UDP (17), length 197) 8.8.8.8.53 > 86.1.32.208.44272: [udp sum ok] 20890 q: A? www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME www.cloudflare.com.cdn.cloudflare.net., www.cloudflare.com.cdn.cloudflare.net. CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net., cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A 198.41.212.157, cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A 198.41.213.157 ar: . OPT UDPsize=3D512 OK (169) 11:44:44.904120 IP (tos 0x0, ttl 45, id 57740, offset 0, flags [none], proto UDP (17), length 197) 8.8.4.4.53 > 86.1.32.208.44272: [udp sum ok] 20890 q: A? www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME www.cloudflare.com.cdn.cloudflare.net., www.cloudflare.com.cdn.cloudflare.net. CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net., cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A 198.41.212.157, cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A 198.41.213.157 ar: . OPT UDPsize=3D512 OK (169) 11:44:44.904720 IP (tos 0x90, ttl 64, id 16466, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.60232 > 8.8.8.8.53: [udp sum ok] 43145+ [1au] DS? www.cloudflare.com. ar: . OPT UDPsize=3D4096 OK (47) 11:44:45.430963 IP (tos 0x0, ttl 49, id 13829, offset 0, flags [none], proto UDP (17), length 75) 8.8.8.8.53 > 86.1.32.208.60232: [udp sum ok] 43145 ServFail q: DS? www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=3D512 OK (47) 11:44:45.434094 IP (tos 0x90, ttl 64, id 16467, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.27765 > 8.8.8.8.53: [udp sum ok] 6810+ [1au] AAAA? www.cloudflare.com. ar: . OPT UDPsize=3D4096 OK (47) 11:44:45.455145 IP (tos 0x0, ttl 47, id 13830, offset 0, flags [none], proto UDP (17), length 221) 8.8.8.8.53 > 86.1.32.208.27765: [udp sum ok] 6810 q: AAAA? www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME www.cloudflare.com.cdn.cloudflare.net., www.cloudflare.com.cdn.cloudflare.net. CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net., cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. AAAA 2400:cb00:2048:1::c629:d59d, cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. AAAA 2400:cb00:2048:1::c629:d49d ar: . OPT UDPsize=3D512 OK (193) 11:44:45.455845 IP (tos 0x90, ttl 64, id 16468, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.63524 > 8.8.8.8.53: [udp sum ok] 37758+ [1au] DS? www.cloudflare.com. ar: . OPT UDPsize=3D4096 OK (47) 11:44:45.895583 IP (tos 0x0, ttl 47, id 16395, offset 0, flags [none], proto UDP (17), length 75) 8.8.8.8.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS? www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=3D512 OK (47) 11:44:45.896049 IP (tos 0x90, ttl 64, id 26116, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.63524 > 8.8.4.4.53: [udp sum ok] 37758+ [b2&3=3D0x182] [1au] DS? www.cloudflare.com. ar: . OPT UDPsize=3D512 OK (47) 11:44:45.896242 IP (tos 0x90, ttl 64, id 16469, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.63524 > 8.8.8.8.53: [udp sum ok] 37758+ [b2&3=3D0x182] [1au] DS? www.cloudflare.com. ar: . OPT UDPsize=3D512 OK (47) 11:44:46.335616 IP (tos 0x0, ttl 46, id 44525, offset 0, flags [none], proto UDP (17), length 75) 8.8.4.4.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS? www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=3D512 OK (47) 11:44:46.341564 IP (tos 0x0, ttl 47, id 47460, offset 0, flags [none], proto UDP (17), length 75) 8.8.8.8.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS? www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=3D512 OK (47) That seems to suggest that it's the DS queries that are failing and that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com) seems to suggest that their nameservers refuse requests for DNSKEY records. --=20 Robert Bradley --0AjfuVWgnu7bhD7pUFwkQXHXt5LrIWnve Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTSSlFAAoJEGK/UXZZ8Ak6KroP/0RIwSUbeTCF5nLV0+tD2JFw fwTpNHKUMBJvmOXEQIBEBlZoTdRA9Hd3Eoc38PW7/iRoAuPN9+lC/7pfN26jbqdh 9lfcPLbH6ONimudIXBWkkY+aJ/chHWk28YUnms3bY2+nf0+cCgOuOazP37KhslAQ ik388faT08YwpE6dHaf1qwWqd37BGuRhHRLGXvkpV4U2UXPGyvNHmvfiKurPCZEA hKn5YNYUtxVSN5Cuu7WwOH0anjnRSJ6NeVTlJDhPcLrH7VF5lfSRQdfCNzyiXHIG TbggEUWwEpqhCXH+QISZHLePtuIe8D9VQg959AzHwaOjBB3wAC0RTEFalh1Cd7d5 0zrZEQiU624a8IVH0NZDVoKfff8KfPyLF4YPDDqJ5KIds5cnw2b+TXiWw7Cp4mPZ GFWMIqBCZr+XHWNX2t+Uz+s8MZrUO5GIGVV/S1nVtpKNpQBfLdrlMRDshPHTS3Ab Ep2D/bbONunGrGuMOrex6sjHVT/tRFF5tLYY9fJzfMjVnhLZaWADwG/ewzibDl0S clix/45F1ED5JHbCoWdbhTFrbyprApadWG9vf0dlQg+TxrWknaqhu5bi+NY9v1sY thZTK0/nCERwATe2RYlFGQyHiYOcdKRC86rNdX+LfWU2kPW4SbE04seHqVPPkFfM uRZxUH4YFIt26D4WlHGi =1wAz -----END PGP SIGNATURE----- --0AjfuVWgnu7bhD7pUFwkQXHXt5LrIWnve--