On 23/04/2014 16:58, Simon Kelley wrote: > On 23/04/14 16:42, Dave Taht wrote: >> I will argue that a better place to report dnssec validation >> errors is the dnsmasq list. >> >> On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood wrote: >>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: query[A] >>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net from 172.30.42.99 >>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded >>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8 >>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: dnssec-query[DS] >>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8 >>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded >>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.4.4 >>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded >>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8 >>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply >>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is BOGUS DS >>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: validation result is >>> BOGUS >>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply >>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is 2.20.28.186 >>> >>> This one validates via verisign, however. >>> > Something strange in that domain. Turning off DNSSEC with the > checking-disabled bit, the original A-record query is OK > > > ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a > e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net > > But a query for DS on the same domain, which is what dnsmasq does next, > returns SERVFAIL, _even_with_ checking disabled. > > ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds > e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net This looks identical to the *.cloudflare.com issue I had last week. In both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine, and 8.8.8.8 returns SERVFAIL for DS lookups. This looks like a bug in Google's DNS servers as opposed to dnsmasq... -- Robert Bradley