From: Dave Taht <dave.taht@gmail.com>
To: Aaron Wood <woody77@gmail.com>
Cc: dnsmasq-discuss <Dnsmasq-discuss@lists.thekelleys.org.uk>,
cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] more dnssec failures
Date: Thu, 24 Apr 2014 09:03:49 -0700 [thread overview]
Message-ID: <CAA93jw70=XwH+Q8_6cPJN_S=joayOvZ2fmMZHgoXTN0r+EWyMQ@mail.gmail.com> (raw)
In-Reply-To: <CALQXh-O4puZOB710+R2CcY3AEqTZhAJvU8YFsjjH3_xK1CdXvA@mail.gmail.com>
What does unbound or bind do?
On Thu, Apr 24, 2014 at 5:35 AM, Aaron Wood <woody77@gmail.com> wrote:
> And if I use Free.fr's servers, the DS resolves (I'm running CeroWRT
> double-NAT behind a Freebox v6):
>
> dig @192.168.1.254 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>
> ; <<>> DiG 9.8.5-P1 <<>> @192.168.1.254 DS
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11369
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net. IN DS
>
> ;; AUTHORITY SECTION:
> cn.akamaiedge.net. 1800 IN SOA n0cn.akamaiedge.net. hostmaster.akamai.com.
> 1398342840 1000 1000 1000 1800
>
> ;; Query time: 39 msec
> ;; SERVER: 192.168.1.254#53(192.168.1.254)
> ;; WHEN: Thu Apr 24 14:34:00 CEST 2014
> ;; MSG SIZE rcvd: 127
>
> -Aaron
>
>
> On Thu, Apr 24, 2014 at 2:33 PM, Aaron Wood <woody77@gmail.com> wrote:
>>
>> Well, I'm seeing the same results as you are from here in Paris (using
>> Free.fr).
>>
>> -Aaron
>>
>>
>> On Thu, Apr 24, 2014 at 1:27 PM, Simon Kelley <simon@thekelleys.org.uk>
>> wrote:
>>>
>>> On 24/04/14 11:49, Aaron Wood wrote:
>>>
>>> >
>>> >> Dnsmasq does the DS query next because the answer to the A query comes
>>> >> back unsigned, so dnsmasq is looking for a DS record that proves this
>>> >> is
>>> >> OK. It's likely that Verisign does that top-down (starting from the
>>> >> root) whilst dnsmasq does it bottom up. Hence Verisign never finds the
>>> >> broken DS, whilst dnsmasq does.
>>> >>
>>> >> That's as good an analysis as I can produce right now. Anyone who can
>>> >> shed more light, please do.
>>> >>
>>> >> (And yes, please report DNSSEC problems on the dnsmasq-discuss list
>>> >> for
>>> >> preference.)
>>> >>
>>> >
>>> > This is still persisting (and it appears to be blocking a bunch of
>>> > Apple
>>> > software update functions). From your comments, Simon, it sounds like
>>> > you
>>> > think this is an Akamai issue, and should be reported to them?
>>> >
>>>
>>> I'm not absolutely sure that this isn't also a dnsmasq problem, and
>>> DNSSEC is still capable of surprising me, but I can't see how a SERVFAIL
>>> answer to
>>>
>>> dig @8.8.8.8 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>>>
>>> can not be either a Google ('cause it's their recursive server) or
>>> Akamai problem.
>>>
>>> Poking further, it looks like the authoritative name servers for that
>>> zone are
>>>
>>> ; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 NS cn.akamaiedge.net
>>> ; (1 server found)
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43031
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;cn.akamaiedge.net. IN NS
>>>
>>> ;; ANSWER SECTION:
>>> cn.akamaiedge.net. 299 IN NS n7cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n6cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n0cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n2cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n5cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n4cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n3cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n1cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n8cn.akamaiedge.net.
>>>
>>> and all of those give sensible answers for
>>>
>>> DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>>>
>>> except n8cn.akamaiedge.net, which isn't responding, so I rather think
>>> this may be a Google mess.
>>>
>>> Or maybe it's Great Firewall induced breakage?
>>>
>>> Cheers,
>>>
>>>
>>> Simon.
>>>
>>>
>>>
>>
>
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
prev parent reply other threads:[~2014-04-24 16:03 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-23 15:31 [Cerowrt-devel] " Aaron Wood
2014-04-23 15:42 ` Dave Taht
2014-04-23 15:58 ` [Cerowrt-devel] [Dnsmasq-discuss] " Simon Kelley
2014-04-23 16:44 ` Robert Bradley
2014-04-23 17:16 ` Robert Bradley
2014-04-23 17:28 ` Robert Bradley
2014-04-23 17:18 ` Aaron Wood
2014-04-23 17:29 ` Dave Taht
2014-04-23 19:04 ` Simon Kelley
2014-04-24 10:49 ` Aaron Wood
2014-04-24 11:27 ` Simon Kelley
2014-04-24 12:33 ` Aaron Wood
[not found] ` <CALQXh-O4puZOB710+R2CcY3AEqTZhAJvU8YFsjjH3_xK1CdXvA@mail.gmail.com>
2014-04-24 16:03 ` Dave Taht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAA93jw70=XwH+Q8_6cPJN_S=joayOvZ2fmMZHgoXTN0r+EWyMQ@mail.gmail.com' \
--to=dave.taht@gmail.com \
--cc=Dnsmasq-discuss@lists.thekelleys.org.uk \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=woody77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox