Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed
* [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?
@ 2014-04-12 11:06 Robert Bradley
  2014-04-12 11:11 ` Toke Høiland-Jørgensen
  2014-04-12 11:13 ` Robert Bradley
  0 siblings, 2 replies; 11+ messages in thread
From: Robert Bradley @ 2014-04-12 11:06 UTC (permalink / raw)
  To: cerowrt-devel

[-- Attachment #1: Type: text/plain, Size: 5202 bytes --]

I noticed today that attempts to visit www.cloudflare.com and other
subdomains seem to be failing on the latest CeroWRT (3.10.36-4) when
DNSSEC checks are enabled, but not if I query Google DNS directly.

The resulting queries are:

root@cerowrt:~# dig www.cloudflare.com A IN

; <<>> DiG 9.9.4 <<>> www.cloudflare.com A IN
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23776
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.cloudflare.com.            IN      A

;; Query time: 808 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 12 11:04:10 UTC 2014
;; MSG SIZE  rcvd: 47

root@cerowrt:~# dig +adflag www.cloudflare.com A IN

; <<>> DiG 9.9.4 <<>> +adflag www.cloudflare.com A IN
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3689
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.cloudflare.com.            IN      A

;; Query time: 913 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 12 11:04:21 UTC 2014
;; MSG SIZE  rcvd: 47

root@cerowrt:~# dig +cdflag www.cloudflare.com A IN

; <<>> DiG 9.9.4 <<>> +cdflag www.cloudflare.com A IN
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19768
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.cloudflare.com.            IN      A

;; ANSWER SECTION:
www.cloudflare.com.     297     IN      CNAME   www.cloudflare.com.cdn.cloudflare.net.
www.cloudflare.com.cdn.cloudflare.net. 297 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 297 IN A 198.41.212.157
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 297 IN A 198.41.213.157

;; Query time: 22 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 12 11:04:26 UTC 2014
;; MSG SIZE  rcvd: 169

root@cerowrt:~# dig @8.8.8.8 www.cloudflare.com A IN

; <<>> DiG 9.9.4 <<>> @8.8.8.8 www.cloudflare.com A IN
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31488
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.cloudflare.com.            IN      A

;; ANSWER SECTION:
www.cloudflare.com.     84      IN      CNAME   www.cloudflare.com.cdn.cloudflare.net.
www.cloudflare.com.cdn.cloudflare.net. 166 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 166 IN A 198.41.213.157
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 166 IN A 198.41.212.157

;; Query time: 22 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 12 11:04:35 UTC 2014
;; MSG SIZE  rcvd: 169

root@cerowrt:~# dig @8.8.8.8 +adflag www.cloudflare.com A IN

; <<>> DiG 9.9.4 <<>> @8.8.8.8 +adflag www.cloudflare.com A IN
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59486
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.cloudflare.com.            IN      A

;; ANSWER SECTION:
www.cloudflare.com.     77      IN      CNAME   www.cloudflare.com.cdn.cloudflare.net.
www.cloudflare.com.cdn.cloudflare.net. 159 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 159 IN A 198.41.213.157
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 159 IN A 198.41.212.157

;; Query time: 22 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 12 11:04:41 UTC 2014
;; MSG SIZE  rcvd: 169

root@cerowrt:~# dig @8.8.8.8 +cdflag www.cloudflare.com A IN

; <<>> DiG 9.9.4 <<>> @8.8.8.8 +cdflag www.cloudflare.com A IN
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43503
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.cloudflare.com.            IN      A

;; ANSWER SECTION:
www.cloudflare.com.     69      IN      CNAME   www.cloudflare.com.cdn.cloudflare.net.
www.cloudflare.com.cdn.cloudflare.net. 151 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 151 IN A 198.41.213.157
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 151 IN A 198.41.212.157

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 12 11:04:48 UTC 2014
;; MSG SIZE  rcvd: 169

root@cerowrt:~#

Can anyone explain why this should be the case?

-- 
Robert Bradley



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 899 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2014-04-12 21:27 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-12 11:06 [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? Robert Bradley
2014-04-12 11:11 ` Toke Høiland-Jørgensen
2014-04-12 11:53   ` Robert Bradley
2014-04-12 12:02     ` Toke Høiland-Jørgensen
2014-04-12 12:24       ` Robert Bradley
2014-04-12 19:06         ` Dave Taht
2014-04-12 19:07         ` Michael Richardson
2014-04-12 20:30           ` Robert Bradley
2014-04-12 20:54             ` Michael Richardson
2014-04-12 21:27               ` Robert Bradley
2014-04-12 11:13 ` Robert Bradley

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox