From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bytemark.thekelleys.org.uk (bytemark.thekelleys.org.uk [IPv6:2001:41c8:51:46b:feff:ff:fe00:3310]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 330D521F22D for ; Wed, 23 Apr 2014 12:04:49 -0700 (PDT) Received: from [31.118.224.38] (helo=[192.168.150.151]) by bytemark.thekelleys.org.uk with esmtpa (Exim 4.80) (envelope-from ) id 1Wd2TL-0001sd-8U; Wed, 23 Apr 2014 19:04:44 +0000 Message-ID: <53580EC3.3080807@thekelleys.org.uk> Date: Wed, 23 Apr 2014 20:04:35 +0100 From: Simon Kelley User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Dave Taht , Aaron Wood References: <5357E336.6070406@thekelleys.org.uk> <5357EDE7.2000409@gmail.com> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: dnsmasq-discuss , cerowrt-devel Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] more dnssec failures X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 19:04:49 -0000 On 23/04/14 18:29, Dave Taht wrote: > On Wed, Apr 23, 2014 at 10:18 AM, Aaron Wood wrote: >> On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley >> wrote: >>> >>> >>>> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a >>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net >>> >>>> >>>> But a query for DS on the same domain, which is what dnsmasq does next, >>>> returns SERVFAIL, _even_with_ checking disabled. >>>> >>>> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds >>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net >>> >>> >>> This looks identical to the *.cloudflare.com issue I had last week. In >>> both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine, >>> and 8.8.8.8 returns SERVFAIL for DS lookups. This looks like a bug in >>> Google's DNS servers as opposed to dnsmasq... >> >> >> A question about dnsmasq and multiple servers. If I listed both 4.2.2.2 and >> 8.8.8.8 in my dnsmasq configuration, how would dnsmasq behave in this case? >> would it query both for the DS? or just "stick" with the first server to >> start responding with an A-record? > > By default dnsmasq probes for a "best" upstream dns server periodically > and uses that. subsequent queries needed to do DNSSEC validation of an initial answer are always sent to the same server which provided that answer. Simon. > >> >> (I confess that I don't know the details of DNS very well) >> >> -Aaron >> >> _______________________________________________ >> Cerowrt-devel mailing list >> Cerowrt-devel@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cerowrt-devel >> > > >