From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dave.taht@gmail.com>
Received: from mail-we0-x233.google.com (mail-we0-x233.google.com
	[IPv6:2a00:1450:400c:c03::233])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id CF32A21F203
	for <cerowrt-devel@lists.bufferbloat.net>;
	Mon, 28 Apr 2014 10:03:37 -0700 (PDT)
Received: by mail-we0-f179.google.com with SMTP id x48so6580618wes.38
	for <cerowrt-devel@lists.bufferbloat.net>;
	Mon, 28 Apr 2014 10:03:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=AN291BKO3P18pVBlSuxtUEcJ+Z2I4mNIXISno/KzygM=;
	b=KbtepVNQpPKU/RUbvw/WeZ5LRyHAc+HH2j0HV8m4kY/HhaDrNEvCO7iiIp1b+0k4iv
	xFg34uSXHv/v7xT/FDU+encnK2MuBZ/CEmLQ1C47nWcvixEZRr3AwM7vgfmMSkUn0E/E
	KVitY+qspyWRp0IjPZZKGlfkXp/Ap5Y08gtQj/ItyzBdOv33rp+kHuM+fs4TvbHcsGAB
	NB47TmEBKaVGgpvn0tCXVtuQ+oFxlYC+Agw7IJiaeY7FsZWyWZ0Jh3vRdfEGN96Jxa0s
	S8NePHOhYYT6olb5F6dT+WBZodVDYufdS3yUB6qXwWYSXhXdRtXQFATi9Vzf/scitCGM
	yeUg==
MIME-Version: 1.0
X-Received: by 10.194.77.148 with SMTP id s20mr19969576wjw.31.1398704615618;
	Mon, 28 Apr 2014 10:03:35 -0700 (PDT)
Received: by 10.216.207.82 with HTTP; Mon, 28 Apr 2014 10:03:35 -0700 (PDT)
In-Reply-To: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
References: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
Date: Mon, 28 Apr 2014 10:03:35 -0700
Message-ID: <CAA93jw6ukYcBSEdubFbqoT20MdLLdXHZUbU6Hq+gLWNCaCTY6Q@mail.gmail.com>
From: Dave Taht <dave.taht@gmail.com>
To: Jim Gettys <jg@freedesktop.org>
Content-Type: multipart/alternative; boundary=047d7bf0d490c2874004f81d4b1f
Cc: dnsmasq-discuss <Dnsmasq-discuss@lists.thekelleys.org.uk>,
	"cerowrt-devel@lists.bufferbloat.net" <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] Problems with DNSsec on Comcast,
 with Cero 3.10.38-1/DNSmasq 4-26-2014
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 17:03:38 -0000

--047d7bf0d490c2874004f81d4b1f
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys <jg@freedesktop.org> wrote:

> =E2=80=8B=E2=80=8BComcast recently lit up IPv6 native dual stack in the B=
oston area.
>
> The http://test-ipv6.com/ web site complains about DNS problems unless
> dnssec is disabled; if it is, I get various timeouts.
>
>
>
 Test with IPv4 DNS record
> ok (4.196s)
> Test with IPv6 DNS record
> ok (0.115s) using ipv6
> Test with Dual Stack DNS record
> timeout (11.882s)
>

I  don't  know what this test does. try a local query over ipv6?

Test for Dual Stack DNS and large packet
> timeout (11.817s)
> Test IPv4 without DNS
> ok (0.214s) using ipv4
> Test IPv6 without DNS
> ok (0.204s) using ipv6
> Test IPv6 large packet
> ok (0.120s) using ipv6
> Test if your ISP's DNS server uses IPv6
> slow (8.752s)
> Find IPv4 Service Provider
> timeout (11.968s)
> Find IPv6 Service Provider
> ok (0.126s) using ipv6 ASN 7922
> Test for buggy DNS
> undefined (5.003s)
>
> DNS server addresses look reasonable for Comcast.
> DNS 1: 75.75.75.75
> DNS 2: 75.75.76.76
>

To try to isolate  things a little  bit, you can turn off fetching ipv4 dns
servers
with

option peerdns  '0'

in the wan (ge00) stanza  of /etc/config/network

and let the wan6 stanza fetch them.

A packet capture of it working vs not working would be good.

tcpdump  -i ge00 -w cap1.cap port 53

Also  capture on the local interface.

DNS 1: 2001:558:feed::1
> DNS 2: 2001:558:feed::2
>
> Today, the problem seems consistent with turning dnssec on and off on the
> router.  If enabled, I have problems; if disabled, I get a clean bill of
> health out of test-ipv6.com.
>                                              - Jim
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
>


--=20
Dave T=C3=A4ht

NSFW:
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indece=
nt.article

--047d7bf0d490c2874004f81d4b1f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys <span dir=3D"ltr">&lt;<=
a href=3D"mailto:jg@freedesktop.org" target=3D"_blank">jg@freedesktop.org</=
a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div style=3D"font-size:sma=
ll">=E2=80=8B=E2=80=8BComcast recently lit up IPv6 native dual stack in the=
 Boston area.</div><div style=3D"font-size:small">
<br></div><div style=3D"font-size:small">
The=C2=A0<a href=3D"http://test-ipv6.com/" target=3D"_blank">http://test-ip=
v6.com/</a> web site complains about DNS problems unless dnssec is disabled=
; if it is, I get various timeouts.</div><div><br>=C2=A0</div></div></block=
quote><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-l=
eft:1px #ccc solid;padding-left:1ex">
<div dir=3D"ltr"><div style=3D"font-size:small">
</div><div style=3D"font-size:small"><table summary=3D"tests run, and pass/=
fail" style=3D"font-size:medium;font-family:sans-serif" border=3D"0" cellpa=
dding=3D"3"><tbody><tr><td style=3D"vertical-align:top" nowrap>
Test with IPv4 DNS record</td><td style=3D"vertical-align:top" nowrap>=C2=
=A0</td><td style=3D"vertical-align:top" nowrap><div style=3D"width:265px;m=
argin-left:auto;margin-right:auto;border:0px solid rgb(0,0,0)"><span style=
=3D"font-weight:bold;color:green">ok</span>=C2=A0(4.196s)</div>

</td></tr><tr><td style=3D"vertical-align:top" nowrap>Test with IPv6 DNS re=
cord</td><td style=3D"vertical-align:top" nowrap>=C2=A0</td><td style=3D"ve=
rtical-align:top" nowrap><div style=3D"width:265px;margin-left:auto;margin-=
right:auto;border:0px solid rgb(0,0,0)">

<span style=3D"font-weight:bold;color:green">ok</span>=C2=A0(0.115s) using =
ipv6</div></td></tr><tr><td style=3D"vertical-align:top" nowrap>Test with D=
ual Stack DNS record</td><td style=3D"vertical-align:top" nowrap>=C2=A0</td=
><td style=3D"vertical-align:top" nowrap>

<div style=3D"width:265px;margin-left:auto;margin-right:auto;border:0px sol=
id rgb(0,0,0)"><span style=3D"font-weight:bold;color:red">timeout</span>=C2=
=A0(11.882s)</div></td></tr></tbody></table></div></div></blockquote><div><=
br></div>
<div>I=C2=A0 don&#39;t=C2=A0 know what this test does. try a local query ov=
er ipv6?<br><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0=
 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div =
style=3D"font-size:small">
<table summary=3D"tests run, and pass/fail" style=3D"font-size:medium;font-=
family:sans-serif" border=3D"0" cellpadding=3D"3"><tbody><tr><td style=3D"v=
ertical-align:top" nowrap>
Test for Dual Stack DNS and large packet</td><td style=3D"vertical-align:to=
p" nowrap>=C2=A0</td><td style=3D"vertical-align:top" nowrap><div style=3D"=
width:265px;margin-left:auto;margin-right:auto;border:0px solid rgb(0,0,0)"=
>
<span style=3D"font-weight:bold;color:red">timeout</span>=C2=A0(11.817s)</d=
iv></td></tr><tr><td style=3D"vertical-align:top" nowrap>Test IPv4 without =
DNS</td><td style=3D"vertical-align:top" nowrap>=C2=A0</td><td style=3D"ver=
tical-align:top" nowrap>

<div style=3D"width:265px;margin-left:auto;margin-right:auto;border:0px sol=
id rgb(0,0,0)"><span style=3D"font-weight:bold;color:green">ok</span>=C2=A0=
(0.214s) using ipv4</div></td></tr><tr><td style=3D"vertical-align:top" now=
rap>
Test IPv6 without DNS</td><td style=3D"vertical-align:top" nowrap>=C2=A0</t=
d><td style=3D"vertical-align:top" nowrap><div style=3D"width:265px;margin-=
left:auto;margin-right:auto;border:0px solid rgb(0,0,0)"><span style=3D"fon=
t-weight:bold;color:green">ok</span>=C2=A0(0.204s) using ipv6</div>

</td></tr><tr><td style=3D"vertical-align:top" nowrap>Test IPv6 large packe=
t</td><td style=3D"vertical-align:top" nowrap>=C2=A0</td><td style=3D"verti=
cal-align:top" nowrap><div style=3D"width:265px;margin-left:auto;margin-rig=
ht:auto;border:0px solid rgb(0,0,0)">

<span style=3D"font-weight:bold;color:green">ok</span>=C2=A0(0.120s) using =
ipv6</div></td></tr><tr><td style=3D"vertical-align:top" nowrap>Test if you=
r ISP&#39;s DNS server uses IPv6</td><td style=3D"vertical-align:top" nowra=
p>
=C2=A0</td><td style=3D"vertical-align:top" nowrap><div style=3D"width:265p=
x;margin-left:auto;margin-right:auto;border:0px solid rgb(0,0,0)"><span sty=
le=3D"font-weight:bold;color:orange">slow</span>=C2=A0(8.752s)</div>
</td></tr><tr><td style=3D"vertical-align:top" nowrap>Find IPv4 Service Pro=
vider</td><td style=3D"vertical-align:top" nowrap>=C2=A0</td><td style=3D"v=
ertical-align:top" nowrap><div style=3D"width:265px;margin-left:auto;margin=
-right:auto;border:0px solid rgb(0,0,0)">

<span style=3D"font-weight:bold;color:red">timeout</span>=C2=A0(11.968s)</d=
iv></td></tr><tr><td style=3D"vertical-align:top" nowrap>Find IPv6 Service =
Provider</td><td style=3D"vertical-align:top" nowrap>=C2=A0</td><td style=
=3D"vertical-align:top" nowrap>

<div style=3D"width:265px;margin-left:auto;margin-right:auto;border:0px sol=
id rgb(0,0,0)"><span style=3D"font-weight:bold;color:green">ok</span>=C2=A0=
(0.126s) using ipv6 ASN 7922</div></td></tr><tr>
<td style=3D"vertical-align:top" nowrap>Test for buggy DNS</td><td style=3D=
"vertical-align:top" nowrap>=C2=A0</td><td style=3D"vertical-align:top" now=
rap><div style=3D"width:265px;margin-left:auto;margin-right:auto;border:0px=
 solid rgb(0,0,0)">

<span style=3D"font-weight:bold;color:green">undefined</span>=C2=A0(5.003s)=
</div><div><br></div></td></tr></tbody></table></div><div style=3D"font-siz=
e:small">DNS server addresses look reasonable for Comcast.</div>
<div><div>DNS 1: 75.75.75.75</div><div>DNS 2: 75.75.76.76</div></div></div>=
</blockquote><div><br></div><div>To try to isolate=C2=A0 things a little=C2=
=A0 bit, you can turn off fetching ipv4 dns servers<br>with <br><br>option =
peerdns=C2=A0 &#39;0&#39;<br>
<br></div><div>in the wan (ge00) stanza=C2=A0 of /etc/config/network<br><br=
></div><div>and let the wan6 stanza fetch them.<br></div><div><br></div><di=
v>A packet capture of it working vs not working would be good.<br><br></div=
>
<div>tcpdump=C2=A0 -i ge00 -w cap1.cap port 53<br>=C2=A0<br></div><div>Also=
=C2=A0 capture on the local interface.<br><br></div><blockquote class=3D"gm=
ail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-le=
ft:1ex"><div dir=3D"ltr">
<div><div><div>DNS 1: 2001:558:feed::1</div><div>
DNS 2: 2001:558:feed::2</div><div><br></div></div></div><div style=3D"font-=
size:small">Today, the problem seems consistent with turning dnssec on and =
off on the router. =C2=A0If enabled, I have problems; if disabled, I get a =
clean bill of health out of <a href=3D"http://test-ipv6.com" target=3D"_bla=
nk">test-ipv6.com</a>.</div>
<span class=3D"HOEnZb"><font color=3D"#888888">
<div style=3D"font-size:small">=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0- Jim</div><div style=3D"font-=
size:small"><br></div></font></span></div>
<br>_______________________________________________<br>
Cerowrt-devel mailing list<br>
<a href=3D"mailto:Cerowrt-devel@lists.bufferbloat.net">Cerowrt-devel@lists.=
bufferbloat.net</a><br>
<a href=3D"https://lists.bufferbloat.net/listinfo/cerowrt-devel" target=3D"=
_blank">https://lists.bufferbloat.net/listinfo/cerowrt-devel</a><br>
<br></blockquote></div><br><br clear=3D"all"><br>-- <br>Dave T=C3=A4ht<br><=
br>NSFW: <a href=3D"https://w2.eff.org/Censorship/Internet_censorship_bills=
/russell_0296_indecent.article" target=3D"_blank">https://w2.eff.org/Censor=
ship/Internet_censorship_bills/russell_0296_indecent.article</a>
</div></div>

--047d7bf0d490c2874004f81d4b1f--