From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-we0-x22a.google.com (mail-we0-x22a.google.com [IPv6:2a00:1450:400c:c03::22a]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 06B6521F291 for ; Sat, 12 Apr 2014 05:24:40 -0700 (PDT) Received: by mail-we0-f170.google.com with SMTP id w61so6499621wes.15 for ; Sat, 12 Apr 2014 05:24:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=DIAsuj5gi1yhjoe9UWcbqyFTOhtK0MSl4Uva9aZKkpU=; b=FyoSWFf0mWnm3zGlWqiWPHp3de65qNBVzF6YE5RQloEk9zGdid4vY8vkTIm8x24OTq a5UzEyGbe6LV0nVEBLHH1OzI5jVTjExRvycxHcwr1w1fTI5TkMPvFB6j6IZzu+BXVxGh JkTwHWxaBhcI2+gxyn5zAy0A8Q5tmPr//bQs0Au6W6WzBlCkIvFkYSm2OGgt6SHtLiHO US7n+qtPvZDzLsj+5oIEUC7GDcZykMuzOyxBiwLdxe5gP4it33dE4faZpW6/1QwrBgh+ tzAB59NJnXgppp6lwMNwYEONrhCLQbkp8gX1On8p6zufiztRfyOpgLtmqEkySWemJ0gD saww== X-Received: by 10.180.74.203 with SMTP id w11mr2278872wiv.27.1397305478416; Sat, 12 Apr 2014 05:24:38 -0700 (PDT) Received: from ?IPv6:2001:470:6aac:1:49b4:b6e0:2511:c7e7? ([2001:470:6aac:1:49b4:b6e0:2511:c7e7]) by mx.google.com with ESMTPSA id u6sm10352121wif.6.2014.04.12.05.24.37 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 12 Apr 2014 05:24:37 -0700 (PDT) Message-ID: <53493083.40808@gmail.com> Date: Sat, 12 Apr 2014 13:24:35 +0100 From: Robert Bradley User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: =?UTF-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= References: <53491E4F.4040108@gmail.com> <878urakdj7.fsf@alrua-x1.kau.toke.dk> <53492939.4090508@gmail.com> <874n1ykb68.fsf@alrua-x1.kau.toke.dk> In-Reply-To: <874n1ykb68.fsf@alrua-x1.kau.toke.dk> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FAOR6uNtLwrX9LBDpPIG5wlU4RlMkv1QX" Cc: cerowrt-devel Subject: Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2014 12:24:41 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --FAOR6uNtLwrX9LBDpPIG5wlU4RlMkv1QX Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 12/04/2014 13:02, Toke H=C3=B8iland-J=C3=B8rgensen wrote: > Robert Bradley writes: > >> That seems to suggest that it's the DS queries that are failing and >> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC >> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com)= >> seems to suggest that their nameservers refuse requests for DNSKEY >> records. > I seem to have no problems resolving either cloudfare.com or > cloudfare.net with dnssec validation enabled. But then I might have a > different view of their DNS infrastructure; I'm in Sweden... > > You can try running dig with +dnssec +trace to see where in the chain > things go wrong... > > -Toke Using +dnssec +trace returns no errors, but that ends up bypassing both Google's DNS servers and dnsmasq in favour of going directly to the DNS root. It looks like there is some issue with 8.8.8.8 and 8.8.4.4 disliking that particular domain (at least from a UK point of view), but I am unable to see what it is. --=20 Robert Bradley --FAOR6uNtLwrX9LBDpPIG5wlU4RlMkv1QX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTSTCDAAoJEGK/UXZZ8Ak6JecP/iOcMBDwj/olIbglOMm0cs2v BAk9XRE4ozmgPj2uDk+UXS19UA8ht/P6PIpNrBR/8eTcQo8W4qQkIGEgcOIkpBGg pFBZRUJrqUGYPwAggUMdFh+pH0uliunG0sWKT6evI7CWpwOzUu/cbJWoSRicxcsd cZDNSESnb3tQjH/7E4NkFb4hi9RbiOhMqE8YyFdpp1kULVLSNQN6VSEJcVGTP5RP Y+L8/SmbQVAWpgGsDgUKoiPud6JDecQs6vKW7hlwCpTrye/3ZA0mJMmZIT2rs7P7 8diGZonnVuWAqm9AmtR3ISfl6sITr87ampIjIjpyPDJd1CGc4SC4w5caX6N3dS95 lW94Vp+0+ASjtLA2Hb3/475vV5IJTAoqeqSmu4lKFye1ojSZYBvOJy16B+rhjzCF IRHaKM5pllKRMmP4N0f5GRj4l6Q1etQ92H7e7lChkRJS7cy8py++VJ2/PcgjVRO5 gavXzzUpybAaaH5X709fekeQSlKrXlNWjVMU3eQFFYpcUJGbt9StKsMD3pL7ac3h G2QI3MkublysLtpthUXUsBqvLPPR+PqQZIa+6Rm5MrevlrwCa6GegH73AssPP0yv 8oI7d6VkqDZVDh+0pgGobWYAFQyc+R8at0c0uR4XSIUVLWNtvJbEZOedVqO7yeu+ r1fWB0JHlq4Y01SDZkZ1 =A3Iw -----END PGP SIGNATURE----- --FAOR6uNtLwrX9LBDpPIG5wlU4RlMkv1QX--