From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-we0-x22f.google.com (mail-we0-x22f.google.com [IPv6:2a00:1450:400c:c03::22f]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 2185721F1EF for ; Mon, 28 Apr 2014 11:37:44 -0700 (PDT) Received: by mail-we0-f175.google.com with SMTP id q58so6672299wes.20 for ; Mon, 28 Apr 2014 11:37:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dOEW4hyg//rHLamUGQNecHhvYCTfhyVWth/C676YRS4=; b=y2h0o24rd2GlSHCfMRs9snr5I6d8uK2SNZ42zVLgg6QtTbFJumGQA+EIF29paXiJbI 7U4XbzxFW1PCmE6eOF1xxbBaL15+llsRgB6cxJJ+AbSrbsBEKFTv2jPOS40OZH5hAzpt zotMhHtk5iLflxIn+9tNO9YSv9472ylxnxjz89xRQDgVw4fr5SOImFpCzTVtZYY4KDQf LnKn4qYmAxOWKlmzL24/TuyULkEy1aV2TywF44u7xMm2t9kKCcqNgudOuIXXLSnaCY2x /KH3nMX4a7oEQnqPeZlBxOAvcmv0usurWjfCuDuUPIX/joJqx3C394ZlICUI0w1YBa2i y+Mw== MIME-Version: 1.0 X-Received: by 10.194.80.7 with SMTP id n7mr20658956wjx.8.1398710262687; Mon, 28 Apr 2014 11:37:42 -0700 (PDT) Received: by 10.216.207.82 with HTTP; Mon, 28 Apr 2014 11:37:42 -0700 (PDT) In-Reply-To: References: Date: Mon, 28 Apr 2014 11:37:42 -0700 Message-ID: From: Dave Taht To: Jim Gettys Content-Type: multipart/alternative; boundary=047d7beb9c8059f05804f81e9c0e Cc: dnsmasq-discuss , "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014 X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 18:37:45 -0000 --047d7beb9c8059f05804f81e9c0e Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I have put a link up to two of jim's captures going to test-ipv6 via cero, one with dnssec enabled, captured at the local laptop http://snapon.lab.bufferbloat.net/~cero2/baddns/ definately a lot of missing responses when captured at this end. the local laptop is using a local dnsmasq forwarder. It is falling back to trying a recursive lookup on the default domain ( ipv6.test-ipv6.com.home.lan ) - which it does do a nxdomain for immediately... On Mon, Apr 28, 2014 at 10:03 AM, Dave Taht wrote: > > > > On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys wrote: > >> =E2=80=8B=E2=80=8BComcast recently lit up IPv6 native dual stack in the = Boston area. >> >> The http://test-ipv6.com/ web site complains about DNS problems unless >> dnssec is disabled; if it is, I get various timeouts. >> >> >> > Test with IPv4 DNS record >> ok (4.196s) >> Test with IPv6 DNS record >> ok (0.115s) using ipv6 >> Test with Dual Stack DNS record >> timeout (11.882s) >> > > I don't know what this test does. try a local query over ipv6? > > Test for Dual Stack DNS and large packet >> timeout (11.817s) >> Test IPv4 without DNS >> ok (0.214s) using ipv4 >> Test IPv6 without DNS >> ok (0.204s) using ipv6 >> Test IPv6 large packet >> ok (0.120s) using ipv6 >> Test if your ISP's DNS server uses IPv6 >> slow (8.752s) >> Find IPv4 Service Provider >> timeout (11.968s) >> Find IPv6 Service Provider >> ok (0.126s) using ipv6 ASN 7922 >> Test for buggy DNS >> undefined (5.003s) >> >> DNS server addresses look reasonable for Comcast. >> DNS 1: 75.75.75.75 >> DNS 2: 75.75.76.76 >> > > To try to isolate things a little bit, you can turn off fetching ipv4 > dns servers > with > > option peerdns '0' > > in the wan (ge00) stanza of /etc/config/network > > and let the wan6 stanza fetch them. > > A packet capture of it working vs not working would be good. > > tcpdump -i ge00 -w cap1.cap port 53 > > Also capture on the local interface. > > DNS 1: 2001:558:feed::1 >> DNS 2: 2001:558:feed::2 >> >> Today, the problem seems consistent with turning dnssec on and off on th= e >> router. If enabled, I have problems; if disabled, I get a clean bill of >> health out of test-ipv6.com. >> - Jim >> >> >> _______________________________________________ >> Cerowrt-devel mailing list >> Cerowrt-devel@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cerowrt-devel >> >> > > > -- > Dave T=C3=A4ht > > NSFW: > https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_inde= cent.article > --=20 Dave T=C3=A4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indece= nt.article --047d7beb9c8059f05804f81e9c0e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I have put a link up to two of jim's captures going to= test-ipv6 via cero, one with dnssec enabled, captured at the local laptop<= br>
definately a lot of missing responses when captured at this = end. the local laptop is using a local dnsmasq forwarder.

It is fal= ling back to trying a recursive lookup on the default domain ( ipv6.test-ip= v6.com.home.lan ) - which it does do a nxdomain for immediately...



On Mon, Apr 28, 2014 at 10:03 AM, Dave Taht <dave.taht@gmail.com&= gt; wrote:



On Mon, Apr 28, 2014= at 9:55 AM, Jim Gettys <jg@freedesktop.org> wrote:
=E2=80=8B=E2=80=8BComcast recently lit up IPv6 native dual stack in the= Boston area.

The=C2=A0http://test-ip= v6.com/ web site complains about DNS problems unless dnssec is disabled= ; if it is, I get various timeouts.

=C2=A0
Test with IPv4 DNS record=C2= =A0
ok=C2=A0(4.196s)
Test with IPv6 DNS re= cord=C2=A0
ok=C2=A0(0.115s) using = ipv6
Test with D= ual Stack DNS record=C2=A0
timeout=C2= =A0(11.882s)
<= br>
I=C2=A0 don't=C2=A0 know what this test does. try a local qu= ery over ipv6?

=
Test for Dual Stack DNS and large packet=C2=A0
timeout=C2=A0(11.817s)
Test IPv4 without = DNS=C2=A0
ok=C2=A0= (0.214s) using ipv4
Test IPv6 without DNS=C2=A0
ok=C2=A0(0.204s) using ipv6
Test IPv6 large packe= t=C2=A0
ok=C2=A0(0.120s) using = ipv6
Test if you= r ISP's DNS server uses IPv6 =C2=A0
slow=C2=A0(8.752s)
Find IPv4 Service Pro= vider=C2=A0
timeout=C2=A0(11.968s)
Find IPv6 Service = Provider=C2=A0
ok=C2=A0= (0.126s) using ipv6 ASN 7922
Test for buggy DNS=C2=A0
undefined=C2=A0(5.003s)=

DNS server addresses look reasonable for Comcast.
DNS 1: 75.75.75.75
DNS 2: 75.75.76.76
=

To try to isolate=C2=A0 things a lit= tle=C2=A0 bit, you can turn off fetching ipv4 dns servers
with

o= ption peerdns=C2=A0 '0'

in the wan (ge00) stanza=C2=A0 of /etc/config/network
and let the wan6 stanza fetch them.

A packet capture of it working vs not working would be good.

tcpdump=C2=A0 -i ge00 -w cap1.cap port 53
=C2=A0
Also= =C2=A0 capture on the local interface.

DNS 1: 2001:558:feed::1
DNS 2: 2001:558:feed::2

Today, the problem seems consistent with turning dnssec on and = off on the router. =C2=A0If enabled, I have problems; if disabled, I get a = clean bill of health out of test-ipv6.com.
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0- Jim


_______________________________________________
Cerowrt-devel mailing list
Ce= rowrt-devel@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel


<= br clear=3D"all">
--
Dave T=C3=A4ht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bil= ls/russell_0296_indecent.article



--
Dave T=C3=A4ht

N= SFW: https://w2.eff.org/Censorship= /Internet_censorship_bills/russell_0296_indecent.article
--047d7beb9c8059f05804f81e9c0e--