From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <robert.bradley1@gmail.com>
Received: from mail-we0-x236.google.com (mail-we0-x236.google.com
	[IPv6:2a00:1450:400c:c03::236])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 3C08721F147
	for <cerowrt-devel@lists.bufferbloat.net>;
	Wed, 23 Apr 2014 09:44:45 -0700 (PDT)
Received: by mail-we0-f182.google.com with SMTP id q59so1100874wes.41
	for <cerowrt-devel@lists.bufferbloat.net>;
	Wed, 23 Apr 2014 09:44:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:content-type;
	bh=FLvFY27F3u8Z2q8wX4xrTu7+FBD22HoDCzzTxjSvOsQ=;
	b=xGUv9UbaM2LUpuTCDELT8ePbsYXW8T38KlBWqqbxteo9YYIKsTkt8QjsMpPbClAThB
	EpW+CifBD+Lkqn3xHl51bq+aRhdDq3V6avYrWqfDV/jwbpHayu36yMNsliAvAan/KlEK
	hPLYL1BWce5Nop3Kev7oXCrnfZq/X3wmXvOPlyrFI0uKXxLekrrt2U6Ivv2S8oS8aWab
	kRJAZRYXmhLMaTPGHPxNr/IEz24YXXspD2JmpC34BRY4Ocbr/vs5zB58lrvp5MlELOWh
	acEMvWwBVrcKdUw+D6auaGhfeTUlVPJwfEoBrFI57ik9iEOH3Xk5nh0Z26s3rdL5RAKI
	7T9A==
X-Received: by 10.180.94.37 with SMTP id cz5mr2595843wib.19.1398271483046;
	Wed, 23 Apr 2014 09:44:43 -0700 (PDT)
Received: from ?IPv6:2001:470:6aac:1:5c4f:bfda:800:c510?
	([2001:470:6aac:1:5c4f:bfda:800:c510])
	by mx.google.com with ESMTPSA id
	mw4sm29970039wib.12.2014.04.23.09.44.40 for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Wed, 23 Apr 2014 09:44:41 -0700 (PDT)
Message-ID: <5357EDE7.2000409@gmail.com>
Date: Wed, 23 Apr 2014 17:44:23 +0100
From: Robert Bradley <robert.bradley1@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1;
	rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: cerowrt-devel@lists.bufferbloat.net
References: <CALQXh-NJOnjhmV9gU_C7VRMDrTDoNK=BP2PtSpnwT8erocRZwQ@mail.gmail.com>	<CAA93jw68NwFnVaRxYS6odJ7fCtQbQSOLiYMpjWJPRwDhqB9t1w@mail.gmail.com>
	<5357E336.6070406@thekelleys.org.uk>
In-Reply-To: <5357E336.6070406@thekelleys.org.uk>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="nHeM5LWIw01TeO03cnReOCAu5t477m2pP"
Cc: Dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss]  more dnssec failures
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 16:44:46 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--nHeM5LWIw01TeO03cnReOCAu5t477m2pP
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 23/04/2014 16:58, Simon Kelley wrote:
> On 23/04/14 16:42, Dave Taht wrote:
>> I will argue that a  better place to report  dnssec  validation
>> errors is the dnsmasq  list.
>>
>> On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood <woody77@gmail.com> wrote:=

>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: query[A]
>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net from 172.30.42.99
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: dnssec-query[DS]=

>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.4.4
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is BOGUS DS
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: validation resul=
t is
>>> BOGUS
>>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is 2.20.28.186
>>>
>>> This one validates via verisign, however.
>>>
> Something strange in that domain. Turning off DNSSEC with the
> checking-disabled bit, the original A-record query is OK
>
>
> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
<snip rest of NOERROR response>
>
> But a query for DS on the same domain, which is what dnsmasq does next,=

> returns SERVFAIL, _even_with_ checking disabled.
>
> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
<snip SERVFAIL response>

This looks identical to the *.cloudflare.com issue I had last week.  In
both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine,
and 8.8.8.8 returns SERVFAIL for DS lookups.  This looks like a bug in
Google's DNS servers as opposed to dnsmasq...

--=20
Robert Bradley



--nHeM5LWIw01TeO03cnReOCAu5t477m2pP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTV+31AAoJEGK/UXZZ8Ak69RgP/1AEPxFRQqJUHNkwiXztUteq
jUQgQcOnOSppZBFoqSAgh0TeECAuxD7Wt3HNpjL+M80OyM9Vx5pylUR46YLyiIEN
+Z9nSxXe6QtlO60HuHPAvkPGEtz4p3DLGjFqdBhYVMKKjjMIdKquC6W1BWkanJf0
/h57JGcd6oMCOQAxPZBR4hfROsQMkl5AUNA5oXvuA2LMPKbjOCw/Z4yGQCDK8hF4
kmDZVlFkHmEbfqcEevOBpZt2vgo3N9+NMU3Vn2SyrWgI5YdjRbifJ8YvY4b4eATj
9KLtw0qVPqt0vESQ2FWmTiDhtwjnhJkeRPxg532ZSPl61qBVeU6Xo3Eimnjvlusl
xpw3aej/VR3VDb7i4PMROkXUGCaIzsa74LhoQZczMHoOKEzmU/skqE9poLRDCIl6
9I9kXKUu24Rk1+/6qdF5SX2ucJvdGa17eSriBaBN6/qmDr7u2PazIzaXsDwzmmsC
5Hx10CNFVjjRyjPDNvFa5IwrAkT4SA5Przvwt/R0HuBa/xDMQSk+GVAhOnk0isC6
YleFoW67SWuJqyXgoXyIrBP/UuEvaw70lWSzhRBMYV8VuE2l7purSk1Mzw1S/VQu
QUnr5McP/gpLauqpA0uN+spxExLbBGrNaQO/yN13YRwmjyFL+G5OuU44nyqlwqwR
gTLTdfwtzYWJXvpZos+7
=PIX0
-----END PGP SIGNATURE-----

--nHeM5LWIw01TeO03cnReOCAu5t477m2pP--