From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 4521E21F1D3 for ; Mon, 28 Apr 2014 12:07:08 -0700 (PDT) Received: by mail-wg0-f42.google.com with SMTP id k14so4118282wgh.25 for ; Mon, 28 Apr 2014 12:07:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=0M6TrM9O5TcXvqqH05tko1hWp3/x3HuKvtbwjaoKKxw=; b=MdfbV0V9v62ABVvZJTW/++qrl9q1Lneo94A0Ea8A5RmO2iN9A7lymGI6/2gl7noZVY Vmvv78/hcEckCU4JnhfVLXH2aIkpnToIJ7D8kGr4pQ6h0mz41wzOmebJs7aJPFLJmBfP KFly3UzzJWQe7shu/EffU0jYhQTj/tudE71zqoG88ZdhDpRlJTfQ/Gd18w3GTqvZ7eCB zSQnQJ92H2jRemPFCDM6hA6CSeazMn6f/YVelZJXLcxnE6qZ6uah6+mDfAufGwY4Wz6G X78tB5SpepJwGuj2feNtd2/v/13+9FKv4ZP1ivAU/FWvvXzt6y5ytyELnGhWM6UDPpVk gilQ== MIME-Version: 1.0 X-Received: by 10.194.187.50 with SMTP id fp18mr26371wjc.89.1398712026234; Mon, 28 Apr 2014 12:07:06 -0700 (PDT) Received: by 10.216.207.82 with HTTP; Mon, 28 Apr 2014 12:07:06 -0700 (PDT) In-Reply-To: <535AAE37.103@thekelleys.org.uk> References: <535AAE37.103@thekelleys.org.uk> Date: Mon, 28 Apr 2014 12:07:06 -0700 Message-ID: From: Dave Taht To: Simon Kelley Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: dnsmasq-discuss , "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] test-ipv6.com vs dnssec X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 19:07:08 -0000 On Fri, Apr 25, 2014 at 11:49 AM, Simon Kelley wr= ote: > On 25/04/14 19:01, Jim Gettys wrote: >> More specifically, after boot, most of the time test-ipv6.com reports lo= ts >> of problems. >> >> Then I turned off both dnssec and dnssec-check-unsigned, and restarted >> dnsmasq; clean bill of health from test-ipv6.com. >> >> Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a >> clean bill of health. >> >> Then I turned on both at the same time, and things are working. >> >> So we seem to have a boot time race of some sort. >> - Jim >> >> > > > test-ipv6.com is unsigned, so the important thing which is likely > failing is the query for the DS record of test-ipv6.com, which should > return NSEC records providing it doesn't exist, signed by .com As one example of a registrar not with the program, name.com (registrar for bufferbloat.net) does not allow for ds records to come from it, so that domain can't be fully signed. So it sounds to me as if negative proofs are not possible with registrars that lack this support? > > Simon. > > > >> >> On Fri, Apr 25, 2014 at 1:39 PM, Dave Taht wrote: >> >>> jg tells me the test-ipv6.com site fails with dnssec and enabled on >>> native ipv6. >>> >>> disabling dnssec works. >>> >>> anyone can confirm? get a log/packet capture? >>> >>> >>> -- >>> Dave T=C3=A4ht >>> _______________________________________________ >>> Cerowrt-devel mailing list >>> Cerowrt-devel@lists.bufferbloat.net >>> https://lists.bufferbloat.net/listinfo/cerowrt-devel >>> >> >> >> >> _______________________________________________ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > --=20 Dave T=C3=A4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_= indecent.article