From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-we0-x233.google.com (mail-we0-x233.google.com [IPv6:2a00:1450:400c:c03::233]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id CF32A21F203 for ; Mon, 28 Apr 2014 10:03:37 -0700 (PDT) Received: by mail-we0-f179.google.com with SMTP id x48so6580618wes.38 for ; Mon, 28 Apr 2014 10:03:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=AN291BKO3P18pVBlSuxtUEcJ+Z2I4mNIXISno/KzygM=; b=KbtepVNQpPKU/RUbvw/WeZ5LRyHAc+HH2j0HV8m4kY/HhaDrNEvCO7iiIp1b+0k4iv xFg34uSXHv/v7xT/FDU+encnK2MuBZ/CEmLQ1C47nWcvixEZRr3AwM7vgfmMSkUn0E/E KVitY+qspyWRp0IjPZZKGlfkXp/Ap5Y08gtQj/ItyzBdOv33rp+kHuM+fs4TvbHcsGAB NB47TmEBKaVGgpvn0tCXVtuQ+oFxlYC+Agw7IJiaeY7FsZWyWZ0Jh3vRdfEGN96Jxa0s S8NePHOhYYT6olb5F6dT+WBZodVDYufdS3yUB6qXwWYSXhXdRtXQFATi9Vzf/scitCGM yeUg== MIME-Version: 1.0 X-Received: by 10.194.77.148 with SMTP id s20mr19969576wjw.31.1398704615618; Mon, 28 Apr 2014 10:03:35 -0700 (PDT) Received: by 10.216.207.82 with HTTP; Mon, 28 Apr 2014 10:03:35 -0700 (PDT) In-Reply-To: References: Date: Mon, 28 Apr 2014 10:03:35 -0700 Message-ID: From: Dave Taht To: Jim Gettys Content-Type: multipart/alternative; boundary=047d7bf0d490c2874004f81d4b1f Cc: dnsmasq-discuss , "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014 X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 17:03:38 -0000 --047d7bf0d490c2874004f81d4b1f Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys wrote: > =E2=80=8B=E2=80=8BComcast recently lit up IPv6 native dual stack in the B= oston area. > > The http://test-ipv6.com/ web site complains about DNS problems unless > dnssec is disabled; if it is, I get various timeouts. > > > Test with IPv4 DNS record > ok (4.196s) > Test with IPv6 DNS record > ok (0.115s) using ipv6 > Test with Dual Stack DNS record > timeout (11.882s) > I don't know what this test does. try a local query over ipv6? Test for Dual Stack DNS and large packet > timeout (11.817s) > Test IPv4 without DNS > ok (0.214s) using ipv4 > Test IPv6 without DNS > ok (0.204s) using ipv6 > Test IPv6 large packet > ok (0.120s) using ipv6 > Test if your ISP's DNS server uses IPv6 > slow (8.752s) > Find IPv4 Service Provider > timeout (11.968s) > Find IPv6 Service Provider > ok (0.126s) using ipv6 ASN 7922 > Test for buggy DNS > undefined (5.003s) > > DNS server addresses look reasonable for Comcast. > DNS 1: 75.75.75.75 > DNS 2: 75.75.76.76 > To try to isolate things a little bit, you can turn off fetching ipv4 dns servers with option peerdns '0' in the wan (ge00) stanza of /etc/config/network and let the wan6 stanza fetch them. A packet capture of it working vs not working would be good. tcpdump -i ge00 -w cap1.cap port 53 Also capture on the local interface. DNS 1: 2001:558:feed::1 > DNS 2: 2001:558:feed::2 > > Today, the problem seems consistent with turning dnssec on and off on the > router. If enabled, I have problems; if disabled, I get a clean bill of > health out of test-ipv6.com. > - Jim > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > > --=20 Dave T=C3=A4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indece= nt.article --047d7bf0d490c2874004f81d4b1f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable



On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys <<= a href=3D"mailto:jg@freedesktop.org" target=3D"_blank">jg@freedesktop.org> wrote:
=E2=80=8B=E2=80=8BComcast recently lit up IPv6 native dual stack in the= Boston area.

The=C2=A0http://test-ip= v6.com/ web site complains about DNS problems unless dnssec is disabled= ; if it is, I get various timeouts.

=C2=A0
Test with IPv4 DNS record=C2= =A0
ok=C2=A0(4.196s)
Test with IPv6 DNS re= cord=C2=A0
ok=C2=A0(0.115s) using = ipv6
Test with D= ual Stack DNS record=C2=A0
timeout=C2= =A0(11.882s)
<= br>
I=C2=A0 don't=C2=A0 know what this test does. try a local query ov= er ipv6?

Test for Dual Stack DNS and large packet=C2=A0
timeout=C2=A0(11.817s)
Test IPv4 without = DNS=C2=A0
ok=C2=A0= (0.214s) using ipv4
Test IPv6 without DNS=C2=A0
ok=C2=A0(0.204s) using ipv6
Test IPv6 large packe= t=C2=A0
ok=C2=A0(0.120s) using = ipv6
Test if you= r ISP's DNS server uses IPv6 =C2=A0
slow=C2=A0(8.752s)
Find IPv4 Service Pro= vider=C2=A0
timeout=C2=A0(11.968s)
Find IPv6 Service = Provider=C2=A0
ok=C2=A0= (0.126s) using ipv6 ASN 7922
Test for buggy DNS=C2=A0
undefined=C2=A0(5.003s)=

DNS server addresses look reasonable for Comcast.
DNS 1: 75.75.75.75
DNS 2: 75.75.76.76
=

To try to isolate=C2=A0 things a little=C2= =A0 bit, you can turn off fetching ipv4 dns servers
with

option = peerdns=C2=A0 '0'

in the wan (ge00) stanza=C2=A0 of /etc/config/network
and let the wan6 stanza fetch them.

A packet capture of it working vs not working would be good.

tcpdump=C2=A0 -i ge00 -w cap1.cap port 53
=C2=A0
Also= =C2=A0 capture on the local interface.

DNS 1: 2001:558:feed::1
DNS 2: 2001:558:feed::2

Today, the problem seems consistent with turning dnssec on and = off on the router. =C2=A0If enabled, I have problems; if disabled, I get a = clean bill of health out of test-ipv6.com.
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0- Jim


_______________________________________________
Cerowrt-devel mailing list
Cerowrt-devel@lists.= bufferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel




--
Dave T=C3=A4ht
<= br>NSFW: https://w2.eff.org/Censor= ship/Internet_censorship_bills/russell_0296_indecent.article
--047d7bf0d490c2874004f81d4b1f--