* [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? @ 2014-04-12 11:06 Robert Bradley 2014-04-12 11:11 ` Toke Høiland-Jørgensen 2014-04-12 11:13 ` Robert Bradley 0 siblings, 2 replies; 11+ messages in thread From: Robert Bradley @ 2014-04-12 11:06 UTC (permalink / raw) To: cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 5202 bytes --] I noticed today that attempts to visit www.cloudflare.com and other subdomains seem to be failing on the latest CeroWRT (3.10.36-4) when DNSSEC checks are enabled, but not if I query Google DNS directly. The resulting queries are: root@cerowrt:~# dig www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> www.cloudflare.com A IN ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23776 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; Query time: 808 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Apr 12 11:04:10 UTC 2014 ;; MSG SIZE rcvd: 47 root@cerowrt:~# dig +adflag www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> +adflag www.cloudflare.com A IN ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3689 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; Query time: 913 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Apr 12 11:04:21 UTC 2014 ;; MSG SIZE rcvd: 47 root@cerowrt:~# dig +cdflag www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> +cdflag www.cloudflare.com A IN ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19768 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; ANSWER SECTION: www.cloudflare.com. 297 IN CNAME www.cloudflare.com.cdn.cloudflare.net. www.cloudflare.com.cdn.cloudflare.net. 297 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 297 IN A 198.41.212.157 cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 297 IN A 198.41.213.157 ;; Query time: 22 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Apr 12 11:04:26 UTC 2014 ;; MSG SIZE rcvd: 169 root@cerowrt:~# dig @8.8.8.8 www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> @8.8.8.8 www.cloudflare.com A IN ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31488 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; ANSWER SECTION: www.cloudflare.com. 84 IN CNAME www.cloudflare.com.cdn.cloudflare.net. www.cloudflare.com.cdn.cloudflare.net. 166 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 166 IN A 198.41.213.157 cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 166 IN A 198.41.212.157 ;; Query time: 22 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Apr 12 11:04:35 UTC 2014 ;; MSG SIZE rcvd: 169 root@cerowrt:~# dig @8.8.8.8 +adflag www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> @8.8.8.8 +adflag www.cloudflare.com A IN ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59486 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; ANSWER SECTION: www.cloudflare.com. 77 IN CNAME www.cloudflare.com.cdn.cloudflare.net. www.cloudflare.com.cdn.cloudflare.net. 159 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 159 IN A 198.41.213.157 cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 159 IN A 198.41.212.157 ;; Query time: 22 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Apr 12 11:04:41 UTC 2014 ;; MSG SIZE rcvd: 169 root@cerowrt:~# dig @8.8.8.8 +cdflag www.cloudflare.com A IN ; <<>> DiG 9.9.4 <<>> @8.8.8.8 +cdflag www.cloudflare.com A IN ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43503 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.cloudflare.com. IN A ;; ANSWER SECTION: www.cloudflare.com. 69 IN CNAME www.cloudflare.com.cdn.cloudflare.net. www.cloudflare.com.cdn.cloudflare.net. 151 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 151 IN A 198.41.213.157 cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 151 IN A 198.41.212.157 ;; Query time: 26 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Apr 12 11:04:48 UTC 2014 ;; MSG SIZE rcvd: 169 root@cerowrt:~# Can anyone explain why this should be the case? -- Robert Bradley [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 899 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? 2014-04-12 11:06 [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? Robert Bradley @ 2014-04-12 11:11 ` Toke Høiland-Jørgensen 2014-04-12 11:53 ` Robert Bradley 2014-04-12 11:13 ` Robert Bradley 1 sibling, 1 reply; 11+ messages in thread From: Toke Høiland-Jørgensen @ 2014-04-12 11:11 UTC (permalink / raw) To: Robert Bradley; +Cc: cerowrt-devel Robert Bradley <robert.bradley1@gmail.com> writes: > Can anyone explain why this should be the case? If you turn on log-queries in the dnsmasq config, you can see the results of the dnssec validation in the logs which might give a hint :) -Toke ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? 2014-04-12 11:11 ` Toke Høiland-Jørgensen @ 2014-04-12 11:53 ` Robert Bradley 2014-04-12 12:02 ` Toke Høiland-Jørgensen 0 siblings, 1 reply; 11+ messages in thread From: Robert Bradley @ 2014-04-12 11:53 UTC (permalink / raw) To: Toke Høiland-Jørgensen; +Cc: cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 6064 bytes --] On 12/04/2014 12:11, Toke Høiland-Jørgensen wrote: > Robert Bradley <robert.bradley1@gmail.com> writes: > >> Can anyone explain why this should be the case? > If you turn on log-queries in the dnsmasq config, you can see the > results of the dnssec validation in the logs which might give a hint :) > > -Toke OK, with log-queries on I get: Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: query[A] www.cloudflare.com from 127.0.0.1 Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: forwarded www.cloudflare.com to 8.8.4.4 Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: dnssec-query[DS] www.cloudflare.com to 8.8.4.4 Sat Apr 12 11:41:51 2014 daemon.info dnsmasq[14581]: forwarded www.cloudflare.com to 8.8.8.8 Sat Apr 12 11:41:51 2014 daemon.info dnsmasq[14581]: forwarded www.cloudflare.com to 8.8.4.4 Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply www.cloudflare.com is BOGUS DS Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: validation result is BOGUS Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply www.cloudflare.com is <CNAME> Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply www.cloudflare.com.cdn.cloudflare.net is <CNAME> Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net is 198.41.213.157 Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net is 198.41.212.157 Running tcpdump -i ge00 port 53 -v -v -n during a query from Windows 7 nslookup, I see: 11:44:44.884477 IP (tos 0x90, ttl 64, id 16465, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.44272 > 8.8.8.8.53: [udp sum ok] 20890+ [1au] A? www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47) 11:44:44.884652 IP (tos 0x90, ttl 64, id 26115, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.44272 > 8.8.4.4.53: [udp sum ok] 20890+ [1au] A? www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47) 11:44:44.904068 IP (tos 0x0, ttl 47, id 47459, offset 0, flags [none], proto UDP (17), length 197) 8.8.8.8.53 > 86.1.32.208.44272: [udp sum ok] 20890 q: A? www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME www.cloudflare.com.cdn.cloudflare.net., www.cloudflare.com.cdn.cloudflare.net. CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net., cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A 198.41.212.157, cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A 198.41.213.157 ar: . OPT UDPsize=512 OK (169) 11:44:44.904120 IP (tos 0x0, ttl 45, id 57740, offset 0, flags [none], proto UDP (17), length 197) 8.8.4.4.53 > 86.1.32.208.44272: [udp sum ok] 20890 q: A? www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME www.cloudflare.com.cdn.cloudflare.net., www.cloudflare.com.cdn.cloudflare.net. CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net., cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A 198.41.212.157, cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A 198.41.213.157 ar: . OPT UDPsize=512 OK (169) 11:44:44.904720 IP (tos 0x90, ttl 64, id 16466, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.60232 > 8.8.8.8.53: [udp sum ok] 43145+ [1au] DS? www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47) 11:44:45.430963 IP (tos 0x0, ttl 49, id 13829, offset 0, flags [none], proto UDP (17), length 75) 8.8.8.8.53 > 86.1.32.208.60232: [udp sum ok] 43145 ServFail q: DS? www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=512 OK (47) 11:44:45.434094 IP (tos 0x90, ttl 64, id 16467, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.27765 > 8.8.8.8.53: [udp sum ok] 6810+ [1au] AAAA? www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47) 11:44:45.455145 IP (tos 0x0, ttl 47, id 13830, offset 0, flags [none], proto UDP (17), length 221) 8.8.8.8.53 > 86.1.32.208.27765: [udp sum ok] 6810 q: AAAA? www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME www.cloudflare.com.cdn.cloudflare.net., www.cloudflare.com.cdn.cloudflare.net. CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net., cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. AAAA 2400:cb00:2048:1::c629:d59d, cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. AAAA 2400:cb00:2048:1::c629:d49d ar: . OPT UDPsize=512 OK (193) 11:44:45.455845 IP (tos 0x90, ttl 64, id 16468, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.63524 > 8.8.8.8.53: [udp sum ok] 37758+ [1au] DS? www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47) 11:44:45.895583 IP (tos 0x0, ttl 47, id 16395, offset 0, flags [none], proto UDP (17), length 75) 8.8.8.8.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS? www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=512 OK (47) 11:44:45.896049 IP (tos 0x90, ttl 64, id 26116, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.63524 > 8.8.4.4.53: [udp sum ok] 37758+ [b2&3=0x182] [1au] DS? www.cloudflare.com. ar: . OPT UDPsize=512 OK (47) 11:44:45.896242 IP (tos 0x90, ttl 64, id 16469, offset 0, flags [DF], proto UDP (17), length 75) 86.1.32.208.63524 > 8.8.8.8.53: [udp sum ok] 37758+ [b2&3=0x182] [1au] DS? www.cloudflare.com. ar: . OPT UDPsize=512 OK (47) 11:44:46.335616 IP (tos 0x0, ttl 46, id 44525, offset 0, flags [none], proto UDP (17), length 75) 8.8.4.4.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS? www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=512 OK (47) 11:44:46.341564 IP (tos 0x0, ttl 47, id 47460, offset 0, flags [none], proto UDP (17), length 75) 8.8.8.8.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS? www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=512 OK (47) That seems to suggest that it's the DS queries that are failing and that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com) seems to suggest that their nameservers refuse requests for DNSKEY records. -- Robert Bradley [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 899 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? 2014-04-12 11:53 ` Robert Bradley @ 2014-04-12 12:02 ` Toke Høiland-Jørgensen 2014-04-12 12:24 ` Robert Bradley 0 siblings, 1 reply; 11+ messages in thread From: Toke Høiland-Jørgensen @ 2014-04-12 12:02 UTC (permalink / raw) To: Robert Bradley; +Cc: cerowrt-devel Robert Bradley <robert.bradley1@gmail.com> writes: > That seems to suggest that it's the DS queries that are failing and > that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC > debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com) > seems to suggest that their nameservers refuse requests for DNSKEY > records. I seem to have no problems resolving either cloudfare.com or cloudfare.net with dnssec validation enabled. But then I might have a different view of their DNS infrastructure; I'm in Sweden... You can try running dig with +dnssec +trace to see where in the chain things go wrong... -Toke ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? 2014-04-12 12:02 ` Toke Høiland-Jørgensen @ 2014-04-12 12:24 ` Robert Bradley 2014-04-12 19:06 ` Dave Taht 2014-04-12 19:07 ` Michael Richardson 0 siblings, 2 replies; 11+ messages in thread From: Robert Bradley @ 2014-04-12 12:24 UTC (permalink / raw) To: Toke Høiland-Jørgensen; +Cc: cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 1071 bytes --] On 12/04/2014 13:02, Toke Høiland-Jørgensen wrote: > Robert Bradley <robert.bradley1@gmail.com> writes: > >> That seems to suggest that it's the DS queries that are failing and >> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC >> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com) >> seems to suggest that their nameservers refuse requests for DNSKEY >> records. > I seem to have no problems resolving either cloudfare.com or > cloudfare.net with dnssec validation enabled. But then I might have a > different view of their DNS infrastructure; I'm in Sweden... > > You can try running dig with +dnssec +trace to see where in the chain > things go wrong... > > -Toke Using +dnssec +trace returns no errors, but that ends up bypassing both Google's DNS servers and dnsmasq in favour of going directly to the DNS root. It looks like there is some issue with 8.8.8.8 and 8.8.4.4 disliking that particular domain (at least from a UK point of view), but I am unable to see what it is. -- Robert Bradley [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 899 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? 2014-04-12 12:24 ` Robert Bradley @ 2014-04-12 19:06 ` Dave Taht 2014-04-12 19:07 ` Michael Richardson 1 sibling, 0 replies; 11+ messages in thread From: Dave Taht @ 2014-04-12 19:06 UTC (permalink / raw) To: Robert Bradley; +Cc: cerowrt-devel I tweeted this thread to cloudflare. On Sat, Apr 12, 2014 at 5:24 AM, Robert Bradley <robert.bradley1@gmail.com> wrote: > On 12/04/2014 13:02, Toke Høiland-Jørgensen wrote: >> Robert Bradley <robert.bradley1@gmail.com> writes: >> >>> That seems to suggest that it's the DS queries that are failing and >>> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC >>> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com) >>> seems to suggest that their nameservers refuse requests for DNSKEY >>> records. >> I seem to have no problems resolving either cloudfare.com or >> cloudfare.net with dnssec validation enabled. But then I might have a >> different view of their DNS infrastructure; I'm in Sweden... >> >> You can try running dig with +dnssec +trace to see where in the chain >> things go wrong... >> >> -Toke > > Using +dnssec +trace returns no errors, but that ends up bypassing both > Google's DNS servers and dnsmasq in favour of going directly to the DNS > root. It looks like there is some issue with 8.8.8.8 and 8.8.4.4 > disliking that particular domain (at least from a UK point of view), but > I am unable to see what it is. > > -- > Robert Bradley > > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? 2014-04-12 12:24 ` Robert Bradley 2014-04-12 19:06 ` Dave Taht @ 2014-04-12 19:07 ` Michael Richardson 2014-04-12 20:30 ` Robert Bradley 1 sibling, 1 reply; 11+ messages in thread From: Michael Richardson @ 2014-04-12 19:07 UTC (permalink / raw) To: Robert Bradley; +Cc: cerowrt-devel Did I understand that your dnsmasq is using 8.8.8.8 as it's upstream forwarder, so your results are filtered through google? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? 2014-04-12 19:07 ` Michael Richardson @ 2014-04-12 20:30 ` Robert Bradley 2014-04-12 20:54 ` Michael Richardson 0 siblings, 1 reply; 11+ messages in thread From: Robert Bradley @ 2014-04-12 20:30 UTC (permalink / raw) To: Michael Richardson; +Cc: cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 228 bytes --] On 12/04/2014 20:07, Michael Richardson wrote: > Did I understand that your dnsmasq is using 8.8.8.8 as it's upstream > forwarder, so your results are filtered through google? Yes, that's right. -- Robert Bradley [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 899 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? 2014-04-12 20:30 ` Robert Bradley @ 2014-04-12 20:54 ` Michael Richardson 2014-04-12 21:27 ` Robert Bradley 0 siblings, 1 reply; 11+ messages in thread From: Michael Richardson @ 2014-04-12 20:54 UTC (permalink / raw) To: Robert Bradley; +Cc: cerowrt-devel Robert Bradley <robert.bradley1@gmail.com> wrote: >> Did I understand that your dnsmasq is using 8.8.8.8 as it's upstream >> forwarder, so your results are filtered through google? > Yes, that's right. I think that there is some interaction between dnsmasq doing DNSSEC, and Google DNS doing it as well. Can you try with some other open resolver that does not do DNSSEC resolution? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? 2014-04-12 20:54 ` Michael Richardson @ 2014-04-12 21:27 ` Robert Bradley 0 siblings, 0 replies; 11+ messages in thread From: Robert Bradley @ 2014-04-12 21:27 UTC (permalink / raw) To: Michael Richardson; +Cc: cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 3060 bytes --] On 12/04/2014 21:54, Michael Richardson wrote: > Robert Bradley <robert.bradley1@gmail.com> wrote: > >> Did I understand that your dnsmasq is using 8.8.8.8 as it's upstream > >> forwarder, so your results are filtered through google? > > > Yes, that's right. > > I think that there is some interaction between dnsmasq doing DNSSEC, and > Google DNS doing it as well. Can you try with some other open resolver that > does not do DNSSEC resolution? Switching to using 4.2.2.2 seems to work fine. This may well be limited to particular networks and servers though given that these are anycast servers and Cloudflare is a CDN: root@cerowrt:~# traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets 1 * * * 2 leed-core-2a-xe-1121-0.network.virginmedia.net (82.15.94.65) 9.146 ms 6.761 ms 7.251 ms 3 manc-bb-1d-ae8-0.network.virginmedia.net (213.105.159.249) 7.819 ms 11.558 ms 7.666 ms 4 manc-bb-2a-ae3-0.network.virginmedia.net (62.254.42.117) 13.453 ms 49.300 ms 12.830 ms 5 manc-bb-1c-ae2-0.network.virginmedia.net (62.254.42.114) 7.613 ms 7.063 ms 7.924 ms 6 tele-ic-3-ae0-0.network.virginmedia.net (212.43.163.70) 13.606 ms 13.478 ms 14.151 ms 7 tele-ic-2-ge-301-0.inet.ntl.com (212.250.14.105) 46.178 ms 51.208 ms 50.896 ms 8 209.85.244.182 (209.85.244.182) 22.786 ms 209.85.244.184 (209.85.244.184) 14.510 ms 209.85.244.182 (209.85.244.182) 39.937 ms 9 209.85.253.94 (209.85.253.94) 14.654 ms 209.85.245.2 (209.85.245.2) 19.117 ms 14.333 ms 10 66.249.95.173 (66.249.95.173) 29.301 ms 72.14.242.166 (72.14.242.166) 19.458 ms 20.342 ms 11 72.14.238.217 (72.14.238.217) 53.472 ms 72.14.238.41 (72.14.238.41) 20.340 ms 20.248 ms 12 * * * 13 google-public-dns-a.google.com (8.8.8.8) 18.814 ms 19.262 ms 20.023 ms root@cerowrt:~# traceroute 4.2.2.2 traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 38 byte packets 1 * * * 2 leed-core-2a-xe-1121-0.network.virginmedia.net (82.15.94.65) 6.979 ms 6.162 ms 5.474 ms 3 manc-bb-1d-ae8-0.network.virginmedia.net (213.105.159.249) 6.553 ms 32.480 ms 7.849 ms 4 manc-bb-2a-ae3-0.network.virginmedia.net (62.254.42.117) 13.485 ms 13.117 ms 13.461 ms 5 brhm-bb-2a-ae1-0.network.virginmedia.net (62.254.42.49) 9.660 ms 9.528 ms 14.095 ms 6 * brhm-bb-1c-ae0-0.network.virginmedia.net (62.254.42.110) 9.213 ms * 7 213.161.65.149 (213.161.65.149) 14.674 ms 15.765 ms 15.385 ms 8 4.68.70.77 (4.68.70.77) 15.200 ms 15.055 ms 15.223 ms 9 vl-3603-ve-227.csw2.London1.Level3.net (4.69.166.153) 13.883 ms vl-3504-ve-118.csw1.London1.Level3.net (4.69.166.141) 18.986 ms vl-3502-ve-116.csw1.London1.Level3.net (4.69.166.133) 20.304 ms 10 ae-234-3610.edge5.london1.Level3.net (4.69.166.53) 13.229 ms ae-124-3510.edge5.london1.Level3.net (4.69.166.37) 18.553 ms ae-123-3509.edge5.London1.Level3.net (4.69.166.33) 20.394 ms 11 b.resolvers.Level3.net (4.2.2.2) 14.764 ms 14.026 ms 15.251 ms -- Robert Bradley [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 899 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? 2014-04-12 11:06 [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? Robert Bradley 2014-04-12 11:11 ` Toke Høiland-Jørgensen @ 2014-04-12 11:13 ` Robert Bradley 1 sibling, 0 replies; 11+ messages in thread From: Robert Bradley @ 2014-04-12 11:13 UTC (permalink / raw) To: cerowrt-devel [-- Attachment #1: Type: text/plain, Size: 501 bytes --] On 12/04/2014 12:06, Robert Bradley wrote: > I noticed today that attempts to visit www.cloudflare.com and other > subdomains seem to be failing on the latest CeroWRT (3.10.36-4) when > DNSSEC checks are enabled, but not if I query Google DNS directly. If it helps, it seems to be an issue with dnssec-check-unsigned again. This time though was via Google's DNS. (Using the Virgin Media DNS servers, dnssec-check-unsigned kills all DNS as per my previous posts.) -- Robert Bradley [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 899 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2014-04-12 21:27 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2014-04-12 11:06 [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? Robert Bradley 2014-04-12 11:11 ` Toke Høiland-Jørgensen 2014-04-12 11:53 ` Robert Bradley 2014-04-12 12:02 ` Toke Høiland-Jørgensen 2014-04-12 12:24 ` Robert Bradley 2014-04-12 19:06 ` Dave Taht 2014-04-12 19:07 ` Michael Richardson 2014-04-12 20:30 ` Robert Bradley 2014-04-12 20:54 ` Michael Richardson 2014-04-12 21:27 ` Robert Bradley 2014-04-12 11:13 ` Robert Bradley
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox