From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <toke@toke.dk>
Received: from mail2.tohojo.dk (mail2.tohojo.dk [IPv6:2a01:4f8:200:3141::101])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 3A5C221F291
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sat, 12 Apr 2014 05:03:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at example.com
Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000)
	id 29ADE1E6DA; Sat, 12 Apr 2014 14:02:55 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toke.dk; s=201310;
	t=1397304176; bh=ebOr6qr3s6pyvHdnRAxgBwsk8d1/XE8iAJouA+IkFgA=;
	h=From:To:Cc:Subject:References:Date:In-Reply-To;
	b=s0L6aMdE9Z86WAqOg6kICBcQnreKVa/Y8gzLxdKR//DRgeHqekV2X09G7sZ0Ilcat
	/qorzO8y2avtpBvqNH1fm+0EInkCY1IAEUrN40BDtSZKkNZNW7ay0yQPjje3UkGDO8
	KKTx2j9zn3JC8CQ8NxX97fzsGsmQFP2jcoG4Bcvs=
From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
To: Robert Bradley <robert.bradley1@gmail.com>
References: <53491E4F.4040108@gmail.com> <878urakdj7.fsf@alrua-x1.kau.toke.dk>
	<53492939.4090508@gmail.com>
Date: Sat, 12 Apr 2014 14:02:55 +0200
In-Reply-To: <53492939.4090508@gmail.com> (Robert Bradley's message of "Sat,
	12 Apr 2014 12:53:29 +0100")
Message-ID: <874n1ykb68.fsf@alrua-x1.kau.toke.dk>
Content-Type: text/plain
Cc: cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Sat, 12 Apr 2014 12:03:08 -0000

Robert Bradley <robert.bradley1@gmail.com> writes:

> That seems to suggest that it's the DS queries that are failing and
> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC
> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com)
> seems to suggest that their nameservers refuse requests for DNSKEY
> records.

I seem to have no problems resolving either cloudfare.com or
cloudfare.net with dnssec validation enabled. But then I might have a
different view of their DNS infrastructure; I'm in Sweden...

You can try running dig with +dnssec +trace to see where in the chain
things go wrong...

-Toke