[Cerowrt-devel] DNSSEC and www.ietf.org

[Cerowrt-devel] DNSSEC and www.ietf.org

[Marc Petit-Huguenin]

[-- Attachment #1: Type: text/plain, Size: 272 bytes --]

Am I the only one who cannot access www.ietf.org since Cloudflare enabled DNSSEC? (with dnsmasq-full 2.73-3)

Thanks.

-- 
Marc Petit-Huguenin
Email: marc@petit-huguenin.org
Blog: http://blog.marc.petit-huguenin.org
Profile: http://www.linkedin.com/in/petithug


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [Cerowrt-devel] DNSSEC and www.ietf.org

[Dave Taht]

I have trouble accessing ietf.org, also, with older versions of
dnsmasq + dnssec, presently.

On Mon, Mar 30, 2015 at 8:52 AM, Marc Petit-Huguenin
<marc@petit-huguenin.org> wrote:
> Am I the only one who cannot access www.ietf.org since Cloudflare enabled DNSSEC? (with dnsmasq-full 2.73-3)
>
> Thanks.
>
> --
> Marc Petit-Huguenin
> Email: marc@petit-huguenin.org
> Blog: http://blog.marc.petit-huguenin.org
> Profile: http://www.linkedin.com/in/petithug
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>



-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb

Re: [Cerowrt-devel] DNSSEC and www.ietf.org

[David Personette]

[-- Attachment #1: Type: text/plain, Size: 1546 bytes --]

Dave,

Sorry to be pedantic, but did you mean:

A) You did have the issue with older versions, and you still see that issue
with those old versions.

B) You did have the issue with older versions, and you also have it with
the current beta version of dnsmasq.

Thanks.

P.S. I'd had several weeks of issues with DNSsec enabled (due to the Google
issue), and disabled it about a week or two ago.

--
David P.



On Mon, Mar 30, 2015 at 11:58 AM, Dave Taht <dave.taht@gmail.com> wrote:

> I have trouble accessing ietf.org, also, with older versions of
> dnsmasq + dnssec, presently.
>
> On Mon, Mar 30, 2015 at 8:52 AM, Marc Petit-Huguenin
> <marc@petit-huguenin.org> wrote:
> > Am I the only one who cannot access www.ietf.org since Cloudflare
> enabled DNSSEC? (with dnsmasq-full 2.73-3)
> >
> > Thanks.
> >
> > --
> > Marc Petit-Huguenin
> > Email: marc@petit-huguenin.org
> > Blog: http://blog.marc.petit-huguenin.org
> > Profile: http://www.linkedin.com/in/petithug
> >
> >
> > _______________________________________________
> > Cerowrt-devel mailing list
> > Cerowrt-devel@lists.bufferbloat.net
> > https://lists.bufferbloat.net/listinfo/cerowrt-devel
> >
>
>
>
> --
> Dave Täht
> Let's make wifi fast, less jittery and reliable again!
>
> https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>

[-- Attachment #2: Type: text/html, Size: 3026 bytes --]

Re: [Cerowrt-devel] [Dnsmasq-discuss] DNSSEC and www.ietf.org

[Simon Kelley]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dnsmasq bug, should be fixed in 2.73rc3 pls shout if not.

(the problem is that the clouldflare.bet zone includes the domains
/003.cloudflare.net (that's ctrl-c at the start) and that was
confusing dnsmasq.)

Simon.



On 30/03/15 16:58, Dave Taht wrote:
> I have trouble accessing ietf.org, also, with older versions of 
> dnsmasq + dnssec, presently.
> 
> On Mon, Mar 30, 2015 at 8:52 AM, Marc Petit-Huguenin 
> <marc@petit-huguenin.org> wrote:
>> Am I the only one who cannot access www.ietf.org since Cloudflare
>> enabled DNSSEC? (with dnsmasq-full 2.73-3)
>> 
>> Thanks.
>> 
>> -- Marc Petit-Huguenin Email: marc@petit-huguenin.org Blog:
>> http://blog.marc.petit-huguenin.org Profile:
>> http://www.linkedin.com/in/petithug
>> 
>> 
>> _______________________________________________ Cerowrt-devel
>> mailing list Cerowrt-devel@lists.bufferbloat.net 
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>> 
> 
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlUZjL4ACgkQKPyGmiibgrdYXgCfRcv1bxlH05WXnDXSBXBenBfZ
5MsAmwTzuoR4mXsDlJCb4Cxpqe6hC8uQ
=8QuA
-----END PGP SIGNATURE-----

Re: [Cerowrt-devel] [Dnsmasq-discuss] DNSSEC and www.ietf.org

[Marc Petit-Huguenin]

[-- Attachment #1: Type: text/plain, Size: 1258 bytes --]

On 03/30/2015 11:49 AM, Simon Kelley wrote:
> Dnsmasq bug, should be fixed in 2.73rc3 pls shout if not.
> 
> (the problem is that the clouldflare.bet zone includes the domains
> /003.cloudflare.net (that's ctrl-c at the start) and that was
> confusing dnsmasq.)

Thanks.

Dave, any chance to get a build of 2.73rc3?

> 
> Simon.
> 
> 
> 
> On 30/03/15 16:58, Dave Taht wrote:
>> I have trouble accessing ietf.org, also, with older versions of 
>> dnsmasq + dnssec, presently.
> 
>> On Mon, Mar 30, 2015 at 8:52 AM, Marc Petit-Huguenin 
>> <marc@petit-huguenin.org> wrote:
>>> Am I the only one who cannot access www.ietf.org since Cloudflare
>>> enabled DNSSEC? (with dnsmasq-full 2.73-3)
>>>
>>> Thanks.
>>>
>>> -- Marc Petit-Huguenin Email: marc@petit-huguenin.org Blog:
>>> http://blog.marc.petit-huguenin.org Profile:
>>> http://www.linkedin.com/in/petithug
>>>
>>>
>>> _______________________________________________ Cerowrt-devel
>>> mailing list Cerowrt-devel@lists.bufferbloat.net 
>>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>>
> 
> 
> 
> 
> 

-- 
Marc Petit-Huguenin
Email: marc@petit-huguenin.org
Blog: http://blog.marc.petit-huguenin.org
Profile: http://www.linkedin.com/in/petithug


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [Cerowrt-devel] [Dnsmasq-discuss] DNSSEC and www.ietf.org

[Dave Taht]

for cerowrt-3.10? Really wasn't planning on it. Didn't even know there
was a problem til today...

for my current openwrt builds - you betcha. thursday-ish.

On Mon, Mar 30, 2015 at 11:17 AM, Marc Petit-Huguenin
<marc@petit-huguenin.org> wrote:
> On 03/30/2015 11:49 AM, Simon Kelley wrote:
>> Dnsmasq bug, should be fixed in 2.73rc3 pls shout if not.
>>
>> (the problem is that the clouldflare.bet zone includes the domains
>> /003.cloudflare.net (that's ctrl-c at the start) and that was
>> confusing dnsmasq.)
>
> Thanks.
>
> Dave, any chance to get a build of 2.73rc3?
>
>>
>> Simon.
>>
>>
>>
>> On 30/03/15 16:58, Dave Taht wrote:
>>> I have trouble accessing ietf.org, also, with older versions of
>>> dnsmasq + dnssec, presently.
>>
>>> On Mon, Mar 30, 2015 at 8:52 AM, Marc Petit-Huguenin
>>> <marc@petit-huguenin.org> wrote:
>>>> Am I the only one who cannot access www.ietf.org since Cloudflare
>>>> enabled DNSSEC? (with dnsmasq-full 2.73-3)
>>>>
>>>> Thanks.
>>>>
>>>> -- Marc Petit-Huguenin Email: marc@petit-huguenin.org Blog:
>>>> http://blog.marc.petit-huguenin.org Profile:
>>>> http://www.linkedin.com/in/petithug
>>>>
>>>>
>>>> _______________________________________________ Cerowrt-devel
>>>> mailing list Cerowrt-devel@lists.bufferbloat.net
>>>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>>>
>>
>>
>>
>>
>>
>
> --
> Marc Petit-Huguenin
> Email: marc@petit-huguenin.org
> Blog: http://blog.marc.petit-huguenin.org
> Profile: http://www.linkedin.com/in/petithug
>



-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb

Re: [Cerowrt-devel] [Dnsmasq-discuss] DNSSEC and www.ietf.org

[Marc Petit-Huguenin]

[-- Attachment #1: Type: text/plain, Size: 1502 bytes --]

On 03/30/2015 12:42 PM, Dave Taht wrote:
> for cerowrt-3.10? Really wasn't planning on it. Didn't even know there
> was a problem til today...

So I suppose that means that Cerowrt is now unmaintained and that I should switch to something else, because my job requires near constant access to www.ietf.org and I will not disable DNSSEC.

So, what would you recommend for my WNDR3800?

Thanks.

> 
> for my current openwrt builds - you betcha. thursday-ish.
> 
> On Mon, Mar 30, 2015 at 11:17 AM, Marc Petit-Huguenin
> <marc@petit-huguenin.org> wrote:
>> On 03/30/2015 11:49 AM, Simon Kelley wrote:
>>> Dnsmasq bug, should be fixed in 2.73rc3 pls shout if not.
>>>
>>> (the problem is that the clouldflare.bet zone includes the domains
>>> /003.cloudflare.net (that's ctrl-c at the start) and that was
>>> confusing dnsmasq.)
>>
>> Thanks.
>>
>> Dave, any chance to get a build of 2.73rc3?
>>
>>>
>>> Simon.
>>>
>>>
>>>
>>> On 30/03/15 16:58, Dave Taht wrote:
>>>> I have trouble accessing ietf.org, also, with older versions of
>>>> dnsmasq + dnssec, presently.
>>>
>>>> On Mon, Mar 30, 2015 at 8:52 AM, Marc Petit-Huguenin
>>>> <marc@petit-huguenin.org> wrote:
>>>>> Am I the only one who cannot access www.ietf.org since Cloudflare
>>>>> enabled DNSSEC? (with dnsmasq-full 2.73-3)
>>>>>
>>>>> Thanks.
>>>>>

-- 
Marc Petit-Huguenin
Email: marc@petit-huguenin.org
Blog: http://blog.marc.petit-huguenin.org
Profile: http://www.linkedin.com/in/petithug


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [Cerowrt-devel] [Dnsmasq-discuss] DNSSEC and www.ietf.org

[Kevin Darbyshire-Bryant]

[-- Attachment #1: Type: text/plain, Size: 973 bytes --]

On 11/04/2015 16:03, Marc Petit-Huguenin wrote:
> On 03/30/2015 12:42 PM, Dave Taht wrote:
>> for cerowrt-3.10? Really wasn't planning on it. Didn't even know there
>> was a problem til today...
> So I suppose that means that Cerowrt is now unmaintained and that I should switch to something else, because my job requires near constant access to www.ietf.org and I will not disable DNSSEC.
>
> So, what would you recommend for my WNDR3800?
>
> Thanks.

Openwrt chaos calmer trunk (latest) as of a day ago has dnsmasq 2.73rc4
with suitable handling for DNSSEC.   Certainly I've DNSSEC enabled and
can browse the site you mention without obvious problem.

The automatic determination of 'valid current time' and hence checking
signature timestamps has an issue:  The startup script uses 'touch -t
1970epoch timestampfile' to pre-create a timestamp file which slightly
defeats the inbuilt dnsmasq logic...not helped by the fact '-t' is an
invalid option.


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4791 bytes --]

Re: [Cerowrt-devel] [Dnsmasq-discuss] DNSSEC and www.ietf.org

[Dave Taht]

On Sat, Apr 11, 2015 at 8:03 AM, Marc Petit-Huguenin
<marc@petit-huguenin.org> wrote:
> On 03/30/2015 12:42 PM, Dave Taht wrote:
>> for cerowrt-3.10? Really wasn't planning on it. Didn't even know there
>> was a problem til today...
>
> So I suppose that means that Cerowrt is now unmaintained and

Yes, as funding for cerowrt has never arrived, there seems to be no
point in continuing. I put in several grant requests, none came
through, 1, is still pending, but it is very small.

I do not regard the loss of dnssec capability as worthy of updating
the 3.10.50 release, particularly when it is due to a misconfiguration
at cloudflare that they have not fixed either.

>that I should switch to something else, because my job requires near constant access to www.ietf.org and I will not disable DNSSEC.

Well it (also and ) more means that this fix to dnssec in dnsmasq are
part of dnsmasq 2.73 rc3 and later, which is not in any OS that I know
of at the moment, backports or not. There were also many, many other
fixes to dnsmasq in rc3.

There are other possible problems in dnsmasq, the most important being
a longstanding infinite loop bug that may or may not be fixed. I had
spun up 6 servers in the cloud to extensively test ipv6 and dnsmasq
and dnssec and edns0 etc - but did not find sufficient time to tackle
the problem myself and am leaving for vacation today.

If anyone here wants to configure namebench to go through the alexa
top 1million over and over again, using ipv6 primarily, and do other
stress test benchmarks like that against r2.73c3 and later - send me
your ssh keys - or please spin up your own servers in a cloud with
ipv6 in it (like linode), and/or dogfood elsewhere.

> So, what would you recommend for my WNDR3800?

Openwrt chaos calmer. Still won't solve your problem til someone gets
around to testing the patches and pushing them into openwrt.

I am taking my guitar and going off to this:

http://en.wikipedia.org/wiki/SpaceX_CRS-6

My backup plan, in case the internet failed, was always to get off planet.

I am quite fond of the Arkyd-3.

>
> Thanks.
>
>>
>> for my current openwrt builds - you betcha. thursday-ish.
>>
>> On Mon, Mar 30, 2015 at 11:17 AM, Marc Petit-Huguenin
>> <marc@petit-huguenin.org> wrote:
>>> On 03/30/2015 11:49 AM, Simon Kelley wrote:
>>>> Dnsmasq bug, should be fixed in 2.73rc3 pls shout if not.
>>>>
>>>> (the problem is that the clouldflare.bet zone includes the domains
>>>> /003.cloudflare.net (that's ctrl-c at the start) and that was
>>>> confusing dnsmasq.)
>>>
>>> Thanks.
>>>
>>> Dave, any chance to get a build of 2.73rc3?
>>>
>>>>
>>>> Simon.
>>>>
>>>>
>>>>
>>>> On 30/03/15 16:58, Dave Taht wrote:
>>>>> I have trouble accessing ietf.org, also, with older versions of
>>>>> dnsmasq + dnssec, presently.
>>>>
>>>>> On Mon, Mar 30, 2015 at 8:52 AM, Marc Petit-Huguenin
>>>>> <marc@petit-huguenin.org> wrote:
>>>>>> Am I the only one who cannot access www.ietf.org since Cloudflare
>>>>>> enabled DNSSEC? (with dnsmasq-full 2.73-3)
>>>>>>
>>>>>> Thanks.
>>>>>>
>
> --
> Marc Petit-Huguenin
> Email: marc@petit-huguenin.org
> Blog: http://blog.marc.petit-huguenin.org
> Profile: http://www.linkedin.com/in/petithug
>



-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb

Re: [Cerowrt-devel] [Dnsmasq-discuss] DNSSEC and www.ietf.org

[Dave Taht]

On Sat, Apr 11, 2015 at 9:32 AM, Kevin Darbyshire-Bryant
<kevin@darbyshire-bryant.me.uk> wrote:
> On 11/04/2015 16:03, Marc Petit-Huguenin wrote:
>> On 03/30/2015 12:42 PM, Dave Taht wrote:
>>> for cerowrt-3.10? Really wasn't planning on it. Didn't even know there
>>> was a problem til today...
>> So I suppose that means that Cerowrt is now unmaintained and that I should switch to something else, because my job requires near constant access to www.ietf.org and I will not disable DNSSEC.
>>
>> So, what would you recommend for my WNDR3800?
>>
>> Thanks.
>
> Openwrt chaos calmer trunk (latest) as of a day ago has dnsmasq 2.73rc4
> with suitable handling for DNSSEC.   Certainly I've DNSSEC enabled and
> can browse the site you mention without obvious problem.

I stand corrected.

I still would really like people to pound dnsmasq flat with
namebench or other dns stress tests (anyone know of any? dig in a loop
would also help), using a native ipv6 dns server upstream. It used to
take days to trigger the bug. It may only happen on networks that have
issues with edns0.

> The automatic determination of 'valid current time' and hence checking
> signature timestamps has an issue:  The startup script uses 'touch -t
> 1970epoch timestampfile' to pre-create a timestamp file which slightly
> defeats the inbuilt dnsmasq logic...not helped by the fact '-t' is an
> invalid option.

Well, it was a more elegant solution that dnsmasq ultimately came up
with than what was in cerowrt, and I figure that single character fix
is a single bug report to openwrt and patch away... if someone else
not getting on a plane makes it.

https://www.youtube.com/watch?v=J_GciXA-6Ag

>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>



-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb

Re: [Cerowrt-devel] [Dnsmasq-discuss] DNSSEC and www.ietf.org

[Kevin Darbyshire-Bryant]

[-- Attachment #1: Type: text/plain, Size: 1690 bytes --]

On 11/04/2015 17:49, Dave Taht wrote:
> Openwrt chaos calmer trunk (latest) as of a day ago has dnsmasq 2.73rc4
> with suitable handling for DNSSEC.   Certainly I've DNSSEC enabled and
> can browse the site you mention without obvious problem.
> I stand corrected.
>
> I still would really like people to pound dnsmasq flat with
> namebench or other dns stress tests (anyone know of any? dig in a loop
> would also help), using a native ipv6 dns server upstream. It used to
> take days to trigger the bug. It may only happen on networks that have
> issues with edns0.
>
>> The automatic determination of 'valid current time' and hence checking
>> signature timestamps has an issue:  The startup script uses 'touch -t
>> 1970epoch timestampfile' to pre-create a timestamp file which slightly
>> defeats the inbuilt dnsmasq logic...not helped by the fact '-t' is an
>> invalid option.
> Well, it was a more elegant solution that dnsmasq ultimately came up
> with than what was in cerowrt, and I figure that single character fix
> is a single bug report to openwrt and patch away... if someone else
> not getting on a plane makes it.

I shall log a ticket within 48 hours, (if it doesn't get spotted and
squashed by someone else)  It's not just a case of not using '-t' but
rather of not trying to defeat the internal dnsmasq logic whilst fitting
in with the requirement of being able to create a file as 'nobody' in a
directory with a) suitable permissions and b) survives reboots, and
dealing with the new secure computing changes related to procd walled
gardens.  There are a few things pulling in opposite directions most of
which I've no clue :-)

Kevin


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4791 bytes --]

Re: [Cerowrt-devel] [Dnsmasq-discuss] DNSSEC and www.ietf.org

[Marc Petit-Huguenin]

[-- Attachment #1: Type: text/plain, Size: 1313 bytes --]

On 04/11/2015 10:32 AM, Kevin Darbyshire-Bryant wrote:
> On 11/04/2015 16:03, Marc Petit-Huguenin wrote:
>> On 03/30/2015 12:42 PM, Dave Taht wrote:
>>> for cerowrt-3.10? Really wasn't planning on it. Didn't even know there
>>> was a problem til today...
>> So I suppose that means that Cerowrt is now unmaintained and that I should switch to something else, because my job requires near constant access to www.ietf.org and I will not disable DNSSEC.
>>
>> So, what would you recommend for my WNDR3800?
>>
>> Thanks.
> 
> Openwrt chaos calmer trunk (latest) as of a day ago has dnsmasq 2.73rc4
> with suitable handling for DNSSEC.   Certainly I've DNSSEC enabled and
> can browse the site you mention without obvious problem.

I confirm that with openwrt trunk, I am now able to securely resolve www.ietf.org.

Thanks.

> 
> The automatic determination of 'valid current time' and hence checking
> signature timestamps has an issue:  The startup script uses 'touch -t
> 1970epoch timestampfile' to pre-create a timestamp file which slightly
> defeats the inbuilt dnsmasq logic...not helped by the fact '-t' is an
> invalid option.
> 


-- 
Marc Petit-Huguenin
Email: marc@petit-huguenin.org
Blog: http://blog.marc.petit-huguenin.org
Profile: http://www.linkedin.com/in/petithug


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]