From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <robert.bradley1@gmail.com>
Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com
	[IPv6:2a00:1450:400c:c00::22c])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id A910F21F291
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sat, 12 Apr 2014 04:53:47 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id m15so6356818wgh.3
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sat, 12 Apr 2014 04:53:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:content-type;
	bh=O+huNjq06t06LgHjrmiyEYjHuDz3u+KXk6c8NqOHNMo=;
	b=edgzTfQAwFvmHRa+adPSh+Hs9XNfUnLBvgBkxa6ZkcGrf5mRcxFyVSSbpmYsi6Waob
	B6P+RAAkh6vP5Nng+9k5HZZPHGh+RqUj+SMQDnEBFM42gKvPtcS1WUS5ccZSQVWZREqZ
	/+yad8QtTtyQGle34jqkACqW4TZ6jf9/cMs+Ca+jmmwoQLUQtnpTxZ4y4tqv/1faoI0+
	EmgY+6pPXdVN1/ekoGNUfmqJ0BIKq358M5WVanj2mDvDTXIY26XsmVJRa3aHLYjLZ3tu
	u4w02i7PgyqL1XgQe5rT9meK3XJxf+qqWYydacWnqI4OqbQdt+/lCacHkPfSBmFnu4wU
	eV1Q==
X-Received: by 10.194.172.38 with SMTP id az6mr2296660wjc.33.1397303625133;
	Sat, 12 Apr 2014 04:53:45 -0700 (PDT)
Received: from ?IPv6:2001:470:6aac:1:49b4:b6e0:2511:c7e7?
	([2001:470:6aac:1:49b4:b6e0:2511:c7e7])
	by mx.google.com with ESMTPSA id d6sm10226160wiz.4.2014.04.12.04.53.43
	for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Sat, 12 Apr 2014 04:53:43 -0700 (PDT)
Message-ID: <53492939.4090508@gmail.com>
Date: Sat, 12 Apr 2014 12:53:29 +0100
From: Robert Bradley <robert.bradley1@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1;
	rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: =?UTF-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= <toke@toke.dk>
References: <53491E4F.4040108@gmail.com> <878urakdj7.fsf@alrua-x1.kau.toke.dk>
In-Reply-To: <878urakdj7.fsf@alrua-x1.kau.toke.dk>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="0AjfuVWgnu7bhD7pUFwkQXHXt5LrIWnve"
Cc: cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Sat, 12 Apr 2014 11:53:48 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--0AjfuVWgnu7bhD7pUFwkQXHXt5LrIWnve
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 12/04/2014 12:11, Toke H=C3=B8iland-J=C3=B8rgensen wrote:
> Robert Bradley <robert.bradley1@gmail.com> writes:
>
>> Can anyone explain why this should be the case?
> If you turn on log-queries in the dnsmasq config, you can see the
> results of the dnssec validation in the logs which might give a hint :)=

>
> -Toke

OK, with log-queries on I get:

Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: query[A]
www.cloudflare.com from 127.0.0.1
Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: forwarded
www.cloudflare.com to 8.8.4.4
Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: dnssec-query[DS]
www.cloudflare.com to 8.8.4.4
Sat Apr 12 11:41:51 2014 daemon.info dnsmasq[14581]: forwarded
www.cloudflare.com to 8.8.8.8
Sat Apr 12 11:41:51 2014 daemon.info dnsmasq[14581]: forwarded
www.cloudflare.com to 8.8.4.4
Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply
www.cloudflare.com is BOGUS DS
Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: validation result
is BOGUS
Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply
www.cloudflare.com is <CNAME>
Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply
www.cloudflare.com.cdn.cloudflare.net is <CNAME>
Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net is 198.41.213.=
157
Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net is 198.41.212.=
157

Running tcpdump -i ge00 port 53 -v -v -n during a query from Windows 7
nslookup, I see:

11:44:44.884477 IP (tos 0x90, ttl 64, id 16465, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.44272 > 8.8.8.8.53: [udp sum ok] 20890+ [1au] A?
www.cloudflare.com. ar: . OPT UDPsize=3D4096 OK (47)
11:44:44.884652 IP (tos 0x90, ttl 64, id 26115, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.44272 > 8.8.4.4.53: [udp sum ok] 20890+ [1au] A?
www.cloudflare.com. ar: . OPT UDPsize=3D4096 OK (47)
11:44:44.904068 IP (tos 0x0, ttl 47, id 47459, offset 0, flags [none],
proto UDP (17), length 197)
    8.8.8.8.53 > 86.1.32.208.44272: [udp sum ok] 20890 q: A?
www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME
www.cloudflare.com.cdn.cloudflare.net.,
www.cloudflare.com.cdn.cloudflare.net. CNAME
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.,
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A
198.41.212.157,
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A
198.41.213.157 ar: . OPT UDPsize=3D512 OK (169)
11:44:44.904120 IP (tos 0x0, ttl 45, id 57740, offset 0, flags [none],
proto UDP (17), length 197)
    8.8.4.4.53 > 86.1.32.208.44272: [udp sum ok] 20890 q: A?
www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME
www.cloudflare.com.cdn.cloudflare.net.,
www.cloudflare.com.cdn.cloudflare.net. CNAME
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.,
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A
198.41.212.157,
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A
198.41.213.157 ar: . OPT UDPsize=3D512 OK (169)
11:44:44.904720 IP (tos 0x90, ttl 64, id 16466, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.60232 > 8.8.8.8.53: [udp sum ok] 43145+ [1au] DS?
www.cloudflare.com. ar: . OPT UDPsize=3D4096 OK (47)
11:44:45.430963 IP (tos 0x0, ttl 49, id 13829, offset 0, flags [none],
proto UDP (17), length 75)
    8.8.8.8.53 > 86.1.32.208.60232: [udp sum ok] 43145 ServFail q: DS?
www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=3D512 OK (47)
11:44:45.434094 IP (tos 0x90, ttl 64, id 16467, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.27765 > 8.8.8.8.53: [udp sum ok] 6810+ [1au] AAAA?
www.cloudflare.com. ar: . OPT UDPsize=3D4096 OK (47)
11:44:45.455145 IP (tos 0x0, ttl 47, id 13830, offset 0, flags [none],
proto UDP (17), length 221)
    8.8.8.8.53 > 86.1.32.208.27765: [udp sum ok] 6810 q: AAAA?
www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME
www.cloudflare.com.cdn.cloudflare.net.,
www.cloudflare.com.cdn.cloudflare.net. CNAME
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.,
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. AAAA
2400:cb00:2048:1::c629:d59d,
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. AAAA
2400:cb00:2048:1::c629:d49d ar: . OPT UDPsize=3D512 OK (193)
11:44:45.455845 IP (tos 0x90, ttl 64, id 16468, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.63524 > 8.8.8.8.53: [udp sum ok] 37758+ [1au] DS?
www.cloudflare.com. ar: . OPT UDPsize=3D4096 OK (47)
11:44:45.895583 IP (tos 0x0, ttl 47, id 16395, offset 0, flags [none],
proto UDP (17), length 75)
    8.8.8.8.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS?
www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=3D512 OK (47)
11:44:45.896049 IP (tos 0x90, ttl 64, id 26116, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.63524 > 8.8.4.4.53: [udp sum ok] 37758+ [b2&3=3D0x182]
[1au] DS? www.cloudflare.com. ar: . OPT UDPsize=3D512 OK (47)
11:44:45.896242 IP (tos 0x90, ttl 64, id 16469, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.63524 > 8.8.8.8.53: [udp sum ok] 37758+ [b2&3=3D0x182]
[1au] DS? www.cloudflare.com. ar: . OPT UDPsize=3D512 OK (47)
11:44:46.335616 IP (tos 0x0, ttl 46, id 44525, offset 0, flags [none],
proto UDP (17), length 75)
    8.8.4.4.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS?
www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=3D512 OK (47)
11:44:46.341564 IP (tos 0x0, ttl 47, id 47460, offset 0, flags [none],
proto UDP (17), length 75)
    8.8.8.8.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS?
www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=3D512 OK (47)

That seems to suggest that it's the DS queries that are failing and that
this is probably not a dnsmasq bug.  Trying Verisign's DNSSEC debugger
(http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com) seems to
suggest that their nameservers refuse requests for DNSKEY records.

--=20
Robert Bradley



--0AjfuVWgnu7bhD7pUFwkQXHXt5LrIWnve
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTSSlFAAoJEGK/UXZZ8Ak6KroP/0RIwSUbeTCF5nLV0+tD2JFw
fwTpNHKUMBJvmOXEQIBEBlZoTdRA9Hd3Eoc38PW7/iRoAuPN9+lC/7pfN26jbqdh
9lfcPLbH6ONimudIXBWkkY+aJ/chHWk28YUnms3bY2+nf0+cCgOuOazP37KhslAQ
ik388faT08YwpE6dHaf1qwWqd37BGuRhHRLGXvkpV4U2UXPGyvNHmvfiKurPCZEA
hKn5YNYUtxVSN5Cuu7WwOH0anjnRSJ6NeVTlJDhPcLrH7VF5lfSRQdfCNzyiXHIG
TbggEUWwEpqhCXH+QISZHLePtuIe8D9VQg959AzHwaOjBB3wAC0RTEFalh1Cd7d5
0zrZEQiU624a8IVH0NZDVoKfff8KfPyLF4YPDDqJ5KIds5cnw2b+TXiWw7Cp4mPZ
GFWMIqBCZr+XHWNX2t+Uz+s8MZrUO5GIGVV/S1nVtpKNpQBfLdrlMRDshPHTS3Ab
Ep2D/bbONunGrGuMOrex6sjHVT/tRFF5tLYY9fJzfMjVnhLZaWADwG/ewzibDl0S
clix/45F1ED5JHbCoWdbhTFrbyprApadWG9vf0dlQg+TxrWknaqhu5bi+NY9v1sY
thZTK0/nCERwATe2RYlFGQyHiYOcdKRC86rNdX+LfWU2kPW4SbE04seHqVPPkFfM
uRZxUH4YFIt26D4WlHGi
=1wAz
-----END PGP SIGNATURE-----

--0AjfuVWgnu7bhD7pUFwkQXHXt5LrIWnve--