On 12/04/2014 13:02, Toke Høiland-Jørgensen wrote: > Robert Bradley writes: > >> That seems to suggest that it's the DS queries that are failing and >> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC >> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com) >> seems to suggest that their nameservers refuse requests for DNSKEY >> records. > I seem to have no problems resolving either cloudfare.com or > cloudfare.net with dnssec validation enabled. But then I might have a > different view of their DNS infrastructure; I'm in Sweden... > > You can try running dig with +dnssec +trace to see where in the chain > things go wrong... > > -Toke Using +dnssec +trace returns no errors, but that ends up bypassing both Google's DNS servers and dnsmasq in favour of going directly to the DNS root. It looks like there is some issue with 8.8.8.8 and 8.8.4.4 disliking that particular domain (at least from a UK point of view), but I am unable to see what it is. -- Robert Bradley