From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-1" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 80F6121F200 for ; Thu, 10 Apr 2014 12:06:30 -0700 (PDT) Received: from hms-beagle.home.lan ([217.86.120.237]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MZTw5-1WI1qI3wpZ-00LDnC; Thu, 10 Apr 2014 21:06:28 +0200 Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) From: Sebastian Moeller In-Reply-To: Date: Thu, 10 Apr 2014 21:06:26 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <85984.1397137700@turing-police.cc.vt.edu> <5346A561.30901@gmail.com> <87sipll0fh.fsf@toke.dk> <5346B650.5040200@gmail.com> To: Dave Taht X-Mailer: Apple Mail (2.1510) X-Provags-ID: V03:K0:3H70JKO/XhmjYIgLpdDmQkseMQdR+foapgqo1K9Qnez1lYTwPa7 AUfZHrvOQs+wg6NuIK+GcSKUIDnBUJMZ8PY4VvPXNoS31EWYbuT1s8E4d5c1WMc+TkhJKzw i/WzlW77WK0PROz3DuXeZr4Zm48iUfL9+12/Z2ZG2WE5Rzv2wRzCtjxY3YUa9Hww4VaXxs5 mYv3tXz7sI93OxbCnRLZg== Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] cerowrt-3.10.36-4 released X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 19:06:31 -0000 Hi Dave, On Apr 10, 2014, at 19:29 , Dave Taht wrote: > On Thu, Apr 10, 2014 at 8:18 AM, Robert Bradley > wrote: >> On 10/04/2014 15:32, Toke H=F8iland-J=F8rgensen wrote: >>> Robert Bradley writes: >>>=20 >>>> - I had to add my cable modem configuration address to the BCP38 >>>> exception list (192.168.100.1). This gets used for nothing except >>>> configuration and checking the modem logs so this is = understandable. I >>>> also end up adding a static route anyway since if Internet breaks, = I >>>> need a route to the modem... >>> If you add a 'scope link' route on the wan interface, the BCP38 code >>> *should* pick this up automatically and add an exception. Would be = cool >>> if you could test this :) >>=20 >> Just tested this now and it works fine. :) >=20 > How did you add scope link? >=20 >>=20 >>>> - dnsmasq's default of dnssec-check-unsigned broke my DNS, since my >>>> ISP servers do not support DNSSEC. In that case, everything winds = up >>>> as failing. >>> That's an interesting failure mode. FWIW you can point it at >>> 8.8.8.8/8.8.4.4 instead if you want dnssec verification :) >>=20 >> I was tempted to leave it as-is, but tested it now with a custom >> /tmp/resolv.conf.manual file and it also works well with added DNSSEC >> checks. >=20 > As if working around the time problem was not headache enough... >=20 > I note that until now the dnssec implementation was NOT doing negative > proofs (proofs of non-existence of a signature), as I added > dnssec-check-unsigned > to /etc/dnsmasq.conf in this release. >=20 > dnssec > dnssec-check-unsigned >=20 > I do forsee this (and dnssec in general) causing massive problems in > environments > that muck with dns. I have no idea as to how prevalent this problem = is. >=20 > I'd like for it to not fail silently, but fall back to non-dnssec = behavior > in some way that gives the user a chance to figure out why their > network isn't working > and who to point a finger at. >=20 > Automagically falling back to 8.8.8.8 doesn't bother me much, except = in places > where that is blocked too. >=20 > Anyway. >=20 > 1) You can specify your dns servers in /etc/config/network, and = disable fetching > your providers's addresses via adding >=20 > option 'dns' '8.8.8.8 4.4.4.4' > option 'peerdns' '0' Thanks a lot. This (plus a restart) actually got DNS and hence = "the internet" working again (on a german deutsche trelekom ADSL line = with cerowrt as secondary router after the dt supplied one). > to the ge00 declaration. This will do the right thing to = resolv.conf.auto. >=20 > Another thing the above is useful for if you have working ipv6 via > dhcppd, you will > get the ipv6 dns servers from upstream and use those only.... = (otherwise dnsmasq > will choose the "best" upstream and generally chooses the ipv4 one) >=20 > 2) Alternatively, you can disable dnssec by commenting it out in > /etc/dnsmasq.conf >=20 > 3) Of course, I advocate pestering your provider to enable dnssec, = (and ipv6) > also. >=20 > I would like to obsolete resolve.conf.auto in favor of some of the = new > options to dnsmasq -(-revaddr and another I forget), which will make = resolving > multi-homed and dns through vpns saner and easier >=20 > 4) I'd like to benchmark the impact of the non-existence proofs... >=20 >>=20 >> -- >> Robert Bradley >>=20 >>=20 >>=20 >> _______________________________________________ >> Cerowrt-devel mailing list >> Cerowrt-devel@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cerowrt-devel >>=20 >=20 >=20 >=20 > --=20 > Dave T=E4ht >=20 > NSFW: = https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indec= ent.article > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel