From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 44B2C21F1FA for ; Sat, 12 Apr 2014 14:27:46 -0700 (PDT) Received: by mail-wi0-f169.google.com with SMTP id hm4so3935481wib.0 for ; Sat, 12 Apr 2014 14:27:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=J8SW3Df4MC7Cto8m9qRpBCb8JqfCtHHsarC2rsrAtNU=; b=PqpcWE2ajfAUM1yTsHuWmiIdy73A8R8MJUKXnZYoOChU2qVEkYrK4DxOEN493FJ/Ne imDw/rOw1Xy4f3n4+vAQZUzdiSoS7PBDloz7aDD9USOzIIaE0nIYN/cOIULZ1xWaP0sT w22Nh0/NZP9qnQWdteWRksoVRYWRvg7YQoj2rkhFNUPhfBT321WQH6Noui9b8mGT15HS QyLFyHe8C/0j8QfMkLbTjPTgpu2iCjtH1Qi8NoIpp8vMJMGj20E8N1mDGhJT3vD/Ky0I 96CJUSaznnDq0sJcjMPPtXqJSbJhU1UQnMOCp9BCRliSgDbIJpf+FdT6ZAvO4js5Y22u DnAw== X-Received: by 10.180.182.166 with SMTP id ef6mr3515833wic.29.1397338064095; Sat, 12 Apr 2014 14:27:44 -0700 (PDT) Received: from ?IPv6:2001:470:6aac:2:89dc:f5fd:4744:e073? ([2001:470:6aac:2:89dc:f5fd:4744:e073]) by mx.google.com with ESMTPSA id ed10sm11864607wib.7.2014.04.12.14.27.42 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 12 Apr 2014 14:27:43 -0700 (PDT) Message-ID: <5349AFBC.1080101@gmail.com> Date: Sat, 12 Apr 2014 22:27:24 +0100 From: Robert Bradley User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Michael Richardson References: <53491E4F.4040108@gmail.com> <878urakdj7.fsf@alrua-x1.kau.toke.dk> <53492939.4090508@gmail.com> <874n1ykb68.fsf@alrua-x1.kau.toke.dk> <53493083.40808@gmail.com> <3489.1397329632@sandelman.ca> <5349A26B.2020105@gmail.com> <26014.1397336061@sandelman.ca> In-Reply-To: <26014.1397336061@sandelman.ca> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HvLckHQEiXMBXl6QNFIAReLhKPjpq6e3i" Cc: cerowrt-devel Subject: Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2014 21:27:46 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HvLckHQEiXMBXl6QNFIAReLhKPjpq6e3i Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 12/04/2014 21:54, Michael Richardson wrote: > Robert Bradley wrote: > >> Did I understand that your dnsmasq is using 8.8.8.8 as it's upst= ream > >> forwarder, so your results are filtered through google? > > > Yes, that's right. > > I think that there is some interaction between dnsmasq doing DNSSEC, an= d > Google DNS doing it as well. Can you try with some other open resolver= that > does not do DNSSEC resolution? Switching to using 4.2.2.2 seems to work fine. This may well be limited to particular networks and servers though given that these are anycast servers and Cloudflare is a CDN: root@cerowrt:~# traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets 1 * * * 2 leed-core-2a-xe-1121-0.network.virginmedia.net (82.15.94.65) 9.146 ms 6.761 ms 7.251 ms 3 manc-bb-1d-ae8-0.network.virginmedia.net (213.105.159.249) 7.819 ms 11.558 ms 7.666 ms 4 manc-bb-2a-ae3-0.network.virginmedia.net (62.254.42.117) 13.453 ms=20 49.300 ms 12.830 ms 5 manc-bb-1c-ae2-0.network.virginmedia.net (62.254.42.114) 7.613 ms=20 7.063 ms 7.924 ms 6 tele-ic-3-ae0-0.network.virginmedia.net (212.43.163.70) 13.606 ms=20 13.478 ms 14.151 ms 7 tele-ic-2-ge-301-0.inet.ntl.com (212.250.14.105) 46.178 ms 51.208 ms 50.896 ms 8 209.85.244.182 (209.85.244.182) 22.786 ms 209.85.244.184 (209.85.244.184) 14.510 ms 209.85.244.182 (209.85.244.182) 39.937 ms 9 209.85.253.94 (209.85.253.94) 14.654 ms 209.85.245.2 (209.85.245.2) 19.117 ms 14.333 ms 10 66.249.95.173 (66.249.95.173) 29.301 ms 72.14.242.166 (72.14.242.166) 19.458 ms 20.342 ms 11 72.14.238.217 (72.14.238.217) 53.472 ms 72.14.238.41 (72.14.238.41) 20.340 ms 20.248 ms 12 * * * 13 google-public-dns-a.google.com (8.8.8.8) 18.814 ms 19.262 ms=20 20.023 ms root@cerowrt:~# traceroute 4.2.2.2 traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 38 byte packets 1 * * * 2 leed-core-2a-xe-1121-0.network.virginmedia.net (82.15.94.65) 6.979 ms 6.162 ms 5.474 ms 3 manc-bb-1d-ae8-0.network.virginmedia.net (213.105.159.249) 6.553 ms 32.480 ms 7.849 ms 4 manc-bb-2a-ae3-0.network.virginmedia.net (62.254.42.117) 13.485 ms=20 13.117 ms 13.461 ms 5 brhm-bb-2a-ae1-0.network.virginmedia.net (62.254.42.49) 9.660 ms=20 9.528 ms 14.095 ms 6 * brhm-bb-1c-ae0-0.network.virginmedia.net (62.254.42.110) 9.213 ms= * 7 213.161.65.149 (213.161.65.149) 14.674 ms 15.765 ms 15.385 ms 8 4.68.70.77 (4.68.70.77) 15.200 ms 15.055 ms 15.223 ms 9 vl-3603-ve-227.csw2.London1.Level3.net (4.69.166.153) 13.883 ms=20 vl-3504-ve-118.csw1.London1.Level3.net (4.69.166.141) 18.986 ms=20 vl-3502-ve-116.csw1.London1.Level3.net (4.69.166.133) 20.304 ms 10 ae-234-3610.edge5.london1.Level3.net (4.69.166.53) 13.229 ms=20 ae-124-3510.edge5.london1.Level3.net (4.69.166.37) 18.553 ms=20 ae-123-3509.edge5.London1.Level3.net (4.69.166.33) 20.394 ms 11 b.resolvers.Level3.net (4.2.2.2) 14.764 ms 14.026 ms 15.251 ms --=20 Robert Bradley --HvLckHQEiXMBXl6QNFIAReLhKPjpq6e3i Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTSa/MAAoJEGK/UXZZ8Ak6qxoP/RkScqru4aTMeAj8JKzDxPTK 623q4STK7xfCm5FnTwtzi3LMI96/KGFfvHR7H1Bs68g/Nh/l3M1IYTA5HJLo6I4W G2c/mAraPvmcUe8mhOH0PZgFbozMCzIEl1Ml6ZCVv/pZ8qsDHpwyxu9iyeGRncKb A3SrcwkY309EiNuMAdsI9qeqnBYWdGf50SS9xo1clVX5Jc2U+L3FE3+dI3Ja+s5z rtIBO0mOOsZeCeDR/nIsEDm1Akh6yMe3uU5N1cuUz+K8s0nnvHN3Viw1hAYsu1wy ISXQZndyy1jHO/vCHvvdZzJfeLiU1ODcIQ0npoyhjeP2DSUoRyRHySJ5e4owGs6w MbMOpNwfn/pbvOoG36jKEE6e77zJjW9R9HokjqVsttdtj4dZWilDjd1vN5D+RbcW rbwoqXHK4KsrvFBaK7EG+U4RHr2tIFUNe9+TUa1+AIwz/sJGdTavQ0ZmFlfMdv+O 6MbfvvpKx1DcqKJYw8w9KhfuKMSiId2VFhGp3si/7bb7qSeLoU5I8a7c6X7HMm8T UiPl274SiPNOlBPqhFzlBjbDYZBc3hDOegmyvWMywqej5mGoKeiutTtLb6mAIEn6 Yfz9XNw0/ZcvqO+ngI+1TtYFMSrzMxRi5bQ2dm1YCgpbeNwc9QQCy0NW8d7CQN0N NcXPLM3dG5ajdRASfZu9 =bdjJ -----END PGP SIGNATURE----- --HvLckHQEiXMBXl6QNFIAReLhKPjpq6e3i--