From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 8D02821F15E for ; Sat, 12 Apr 2014 12:06:18 -0700 (PDT) Received: by mail-wi0-f175.google.com with SMTP id cc10so2445809wib.14 for ; Sat, 12 Apr 2014 12:06:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=TTImsLbdhSgU9O+ehrD5juB3mC0dcTjLaycUAk0cet0=; b=pcxDwn4csezl9XGuxBYyx5X0AyFJhMszAZzAKfwG+4d5h8i/A9qrcOun0E3p6duDSp b6umvZNNCLKUfM9zcjGULyLM1QYKt6YbRsT6j7GdaWW6wtxUNFstSe0jaDPJUuDYR0k5 FHfmuUhDzkKPpNEoI1S2sVQYbuahHzfIelEObXuE2Uyo1jXRJWfbNT7ubCK9O1jhLXQw PTbcLzG9AkFC+vKDC5zhuoEH0qwhzClmNgT16xATXqakwn8lF7FjPtq+nM3Azw+UVdCn vs1Zb9LwrDXbi1F8//pyfzmAH43JeamRa+Ajiit9rGbC+1iunU/oKp75fABddmMdaP1i Fgpw== MIME-Version: 1.0 X-Received: by 10.194.187.50 with SMTP id fp18mr63953wjc.89.1397329576645; Sat, 12 Apr 2014 12:06:16 -0700 (PDT) Received: by 10.216.177.10 with HTTP; Sat, 12 Apr 2014 12:06:16 -0700 (PDT) In-Reply-To: <53493083.40808@gmail.com> References: <53491E4F.4040108@gmail.com> <878urakdj7.fsf@alrua-x1.kau.toke.dk> <53492939.4090508@gmail.com> <874n1ykb68.fsf@alrua-x1.kau.toke.dk> <53493083.40808@gmail.com> Date: Sat, 12 Apr 2014 12:06:16 -0700 Message-ID: From: Dave Taht To: Robert Bradley Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: cerowrt-devel Subject: Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2014 19:06:19 -0000 I tweeted this thread to cloudflare. On Sat, Apr 12, 2014 at 5:24 AM, Robert Bradley wrote: > On 12/04/2014 13:02, Toke H=F8iland-J=F8rgensen wrote: >> Robert Bradley writes: >> >>> That seems to suggest that it's the DS queries that are failing and >>> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC >>> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com) >>> seems to suggest that their nameservers refuse requests for DNSKEY >>> records. >> I seem to have no problems resolving either cloudfare.com or >> cloudfare.net with dnssec validation enabled. But then I might have a >> different view of their DNS infrastructure; I'm in Sweden... >> >> You can try running dig with +dnssec +trace to see where in the chain >> things go wrong... >> >> -Toke > > Using +dnssec +trace returns no errors, but that ends up bypassing both > Google's DNS servers and dnsmasq in favour of going directly to the DNS > root. It looks like there is some issue with 8.8.8.8 and 8.8.4.4 > disliking that particular domain (at least from a UK point of view), but > I am unable to see what it is. > > -- > Robert Bradley > > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > --=20 Dave T=E4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_= indecent.article