From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 098F821F18F for ; Mon, 28 Apr 2014 11:56:34 -0700 (PDT) Received: by mail-wg0-f44.google.com with SMTP id m15so6716262wgh.15 for ; Mon, 28 Apr 2014 11:56:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=br77cAXGp/M+MDMB1LAwg8HxuIbbT4f6QKGXGO6/prY=; b=ACa56RQeuatPNtgv2xX+FGALQImJH1UeE+/Ja9c7E434lu5bvZXSZsijNg6QrqPo3N 6jD2X2UBYADnLgjV0gBVZ5aS/t1PzPWbz8UdGegJkUFGwRbcBjkB9GFW3AN7JOgPutgE tfg7oQYrSb/uphRsOV1fb5BzTaKgF/Rh6CQ5jGP0H3nWj5TEnDw6lBa6gVMSyebb9AQZ QIAkJ2zVhiN50ZR7gm3WzxrBhzw0/e9C6XmJkdRQkIeYg1C/U1vbXXizyfRQ7LGEq20A fBCTgUXmIeh2aTL+DJEYinxRs4BKa7LdiLIFaW+/3CR1dU31PkxgsWzS/TGLTIjCrhMB GHqg== MIME-Version: 1.0 X-Received: by 10.180.19.167 with SMTP id g7mr16829821wie.46.1398711392821; Mon, 28 Apr 2014 11:56:32 -0700 (PDT) Received: by 10.216.207.82 with HTTP; Mon, 28 Apr 2014 11:56:32 -0700 (PDT) In-Reply-To: References: Date: Mon, 28 Apr 2014 11:56:32 -0700 Message-ID: From: Dave Taht To: Jim Gettys Content-Type: multipart/alternative; boundary=bcaec53d5dffb667e504f81edf7c Cc: dnsmasq-discuss , "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014 X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 18:56:35 -0000 --bcaec53d5dffb667e504f81edf7c Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I see A and AAAA requests for for "ds.test-ipv6.com" that fail. On Mon, Apr 28, 2014 at 11:37 AM, Dave Taht wrote: > I have put a link up to two of jim's captures going to test-ipv6 via cero= , > one with dnssec enabled, captured at the local laptop > > http://snapon.lab.bufferbloat.net/~cero2/baddns/ > > definately a lot of missing responses when captured at this end. the loca= l > laptop is using a local dnsmasq forwarder. > > It is falling back to trying a recursive lookup on the default domain ( > ipv6.test-ipv6.com.home.lan ) - which it does do a nxdomain for > immediately... > > > > On Mon, Apr 28, 2014 at 10:03 AM, Dave Taht wrote: > >> >> >> >> On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys wrote: >> >>> =E2=80=8B=E2=80=8BComcast recently lit up IPv6 native dual stack in the= Boston area. >>> >>> The http://test-ipv6.com/ web site complains about DNS problems unless >>> dnssec is disabled; if it is, I get various timeouts. >>> >>> >>> >> Test with IPv4 DNS record >>> ok (4.196s) >>> Test with IPv6 DNS record >>> ok (0.115s) using ipv6 >>> Test with Dual Stack DNS record >>> timeout (11.882s) >>> >> >> I don't know what this test does. try a local query over ipv6? >> >> Test for Dual Stack DNS and large packet >>> timeout (11.817s) >>> Test IPv4 without DNS >>> ok (0.214s) using ipv4 >>> Test IPv6 without DNS >>> ok (0.204s) using ipv6 >>> Test IPv6 large packet >>> ok (0.120s) using ipv6 >>> Test if your ISP's DNS server uses IPv6 >>> slow (8.752s) >>> Find IPv4 Service Provider >>> timeout (11.968s) >>> Find IPv6 Service Provider >>> ok (0.126s) using ipv6 ASN 7922 >>> Test for buggy DNS >>> undefined (5.003s) >>> >>> DNS server addresses look reasonable for Comcast. >>> DNS 1: 75.75.75.75 >>> DNS 2: 75.75.76.76 >>> >> >> To try to isolate things a little bit, you can turn off fetching ipv4 >> dns servers >> with >> >> option peerdns '0' >> >> in the wan (ge00) stanza of /etc/config/network >> >> and let the wan6 stanza fetch them. >> >> A packet capture of it working vs not working would be good. >> >> tcpdump -i ge00 -w cap1.cap port 53 >> >> Also capture on the local interface. >> >> DNS 1: 2001:558:feed::1 >>> DNS 2: 2001:558:feed::2 >>> >>> Today, the problem seems consistent with turning dnssec on and off on >>> the router. If enabled, I have problems; if disabled, I get a clean bi= ll >>> of health out of test-ipv6.com. >>> - Jim >>> >>> >>> _______________________________________________ >>> Cerowrt-devel mailing list >>> Cerowrt-devel@lists.bufferbloat.net >>> https://lists.bufferbloat.net/listinfo/cerowrt-devel >>> >>> >> >> >> -- >> Dave T=C3=A4ht >> >> NSFW: >> https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_ind= ecent.article >> > > > > -- > Dave T=C3=A4ht > > NSFW: > https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_inde= cent.article > --=20 Dave T=C3=A4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indece= nt.article --bcaec53d5dffb667e504f81edf7c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I see A and AAAA requests for for "ds.test-ipv6.com" that fail.


On Mon, Apr 28, 2014 at= 11:37 AM, Dave Taht <dave.taht@gmail.com> wrote:
I have put a link up to two= of jim's captures going to test-ipv6 via cero, one with dnssec enabled= , captured at the local laptop
definately a lot of missing responses when captured at this = end. the local laptop is using a local dnsmasq forwarder.

It is fal= ling back to trying a recursive lookup on the default domain ( ipv6.test-ip= v6.com.home.lan ) - which it does do a nxdomain for immediately...



On Mon, Apr 28, 2014 at 10:03 AM= , Dave Taht <dave.taht@gmail.com> wrote:



On Mon, Apr 28, 2014 at 9:55 AM= , Jim Gettys <jg@freedesktop.org> wrote:
=E2=80=8B=E2=80=8BComcast recently lit up IPv6 native dual stack in the= Boston area.

The=C2=A0http://test-ip= v6.com/ web site complains about DNS problems unless dnssec is disabled= ; if it is, I get various timeouts.

=C2=A0
Test with IPv4 DNS record=C2= =A0
ok=C2=A0(4.196s)
Test with IPv6 DNS re= cord=C2=A0
ok=C2=A0(0.115s) using = ipv6
Test with D= ual Stack DNS record=C2=A0
timeout=C2= =A0(11.882s)
<= br>
I=C2=A0 don't=C2=A0 know what this test does. try a local qu= ery over ipv6?

Test for Dual Stack DNS and large packet=C2=A0
timeout=C2=A0(11.817s)
Test IPv4 without = DNS=C2=A0
ok=C2=A0= (0.214s) using ipv4
Test IPv6 without DNS=C2=A0
ok=C2=A0(0.204s) using ipv6
Test IPv6 large packe= t=C2=A0
ok=C2=A0(0.120s) using = ipv6
Test if you= r ISP's DNS server uses IPv6 =C2=A0
slow=C2=A0(8.752s)
Find IPv4 Service Pro= vider=C2=A0
timeout=C2=A0(11.968s)
Find IPv6 Service = Provider=C2=A0
ok=C2=A0= (0.126s) using ipv6 ASN 7922
Test for buggy DNS=C2=A0
undefined=C2=A0(5.003s)=

DNS server addresses look reasonable for Comcast.
DNS 1: 75.75.75.75
DNS 2: 75.75.76.76
=

To try to isolate=C2=A0 things a lit= tle=C2=A0 bit, you can turn off fetching ipv4 dns servers
with

o= ption peerdns=C2=A0 '0'

in the wan (ge00) stanza=C2=A0 of /etc/config/network
and let the wan6 stanza fetch them.

A packet capture of it working vs not working would be good.

tcpdump=C2=A0 -i ge00 -w cap1.cap port 53
=C2=A0
Also= =C2=A0 capture on the local interface.

DNS 1: 2001:558:feed::1
DNS 2: 2001:558:feed::2

Today, the problem seems consistent with turning dnssec on and = off on the router. =C2=A0If enabled, I have problems; if disabled, I get a = clean bill of health out of test-ipv6.com.
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0- Jim


_______________________________________________
Cerowrt-devel mailing list
Ce= rowrt-devel@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel



=
--
Dave T=C3=A4ht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_i= ndecent.article



--
Dave T=C3=A4ht

N= SFW: https://w2.eff.org/Censorship= /Internet_censorship_bills/russell_0296_indecent.article



--
Dave T=C3= =A4ht

NSFW: https://w2.eff.= org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
--bcaec53d5dffb667e504f81edf7c--