From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 6A75D21F107 for ; Tue, 18 Mar 2014 13:04:53 -0700 (PDT) Received: by mail-wi0-f169.google.com with SMTP id hm4so4112152wib.0 for ; Tue, 18 Mar 2014 13:04:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=NWeRF7mnXQlSufmtnKjA196IwPyc5Not8EBKVbmLni4=; b=Ax0ryS4PvQf+N3+odSBfpfXKDQ1cesjIUaBVKavBQkVrJWhIuqecbEZGm8v8WPaN2n kE7nC3pd7FG0cuV90vB4siWJq71pGeS1lLsYxr+/sq+OWialKShZSuf0n4HAwm3hYs7A bSppSJ+XwQXOinEt81M8C+bOuhft0rjSYZ+cMOAZo25knuHBy3grwWivvoFIXr9xGiv8 KkGDWZKL8u8FJZ+FUxP5mlJnSXguA4uU6VqQcMOL2zb5R4pE3lg7oGIHfwoYyh7NdZCf dkkmnf1N+5mvhPNBO2x+fphFHJgCwDaJMnaTJWW5DQ+RFjtGRHDRdM7sltJmnZObfvmB AQ3Q== MIME-Version: 1.0 X-Received: by 10.180.189.169 with SMTP id gj9mr16321287wic.17.1395173090917; Tue, 18 Mar 2014 13:04:50 -0700 (PDT) Received: by 10.216.8.1 with HTTP; Tue, 18 Mar 2014 13:04:50 -0700 (PDT) Date: Tue, 18 Mar 2014 16:04:50 -0400 Message-ID: From: Dave Taht To: =?ISO-8859-1?Q?T=F6r=F6k_Edwin?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: [Cerowrt-devel] dnssec testing redux X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Mar 2014 20:04:54 -0000 On Tue, Mar 18, 2014 at 3:24 PM, T=F6r=F6k Edwin wrote: > On 03/18/2014 07:56 PM, Rich Brown wrote: >> Folks, >> >> I have updated the 3.10 Release Note page to match my understanding of t= he 3.10.32-9 release of 14 March 2014. It would be good to get more eyes on= the page to look for inconsistencies, outright errors, omissions, etc. It= 's at: http://www.bufferbloat.net/projects/cerowrt/wiki/CeroWrt_310_Release= _Notes >> >> Questions: >> >> - Please review the Features items. Any missing? Is DNSSEC enabled now? > > Good question. > If I run 'dig test.dnssec-or-not.net TXT' 3 times in succession it tells = me it is supported. > Try again a minute later, and the query times out again. Well might be ju= st my ISP's DNS servers being problematic. Well, this query wedges an older cerowrt's dnsmasq thoroughly (rendering it inoperable). But I haven't updated to -9 yet on that box. There were a few fixes to dnsmasq that I put into -10, but I haven't tested it yet (and wasn't planning to). > 1st one times out (after about 18s): > $ dig test.dnssec-or-not.net TXT This works from a very well connected host in under a second. However, the TXT record is probably uncached, which accounts for the major delays elsewhere. somewhat. > > ; <<>> DiG 9.9.5-2-Debian <<>> test.dnssec-or-not.net TXT > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > Second gives me no results: > $ dig test.dnssec-or-not.net TXT > > ; <<>> DiG 9.9.5-2-Debian <<>> test.dnssec-or-not.net TXT > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51755 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;test.dnssec-or-not.net. IN TXT > > ;; Query time: 748 msec > ;; SERVER: 172.30.42.1#53(172.30.42.1) > ;; WHEN: Tue Mar 18 21:17:13 EET 2014 > ;; MSG SIZE rcvd: 51 > > Third tells me its good: > dig test.dnssec-or-not.net TXT > > ; <<>> DiG 9.9.5-2-Debian <<>> test.dnssec-or-not.net TXT > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35187 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 3, ADDITIONAL: 5 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;test.dnssec-or-not.net. IN TXT > > ;; ANSWER SECTION: > test.dnssec-or-not.net. 35 IN CNAME test.ad1b63b5bebca893.dns= sec-or-not.net. > test.dnssec-or-not.net. 35 IN RRSIG CNAME 5 3 60 201404171916= 53 20140318191653 2256 dnssec-or-not.net. m/Sg8YHkFV4iQW0W20G3iLVi+z+g4p+49= 19Ihq4hPrzQV6YRUNyzl1vm pjM1pxG2mPgpqkDIRROUJtoF7k4yz2F6QzJAhbV7o7En2/MBHTR= O2BuU WoUrmBneWNxq43nbZXwYL01s7le0ff9MpQvtv14egOODa3zNuX++3htt W/Y=3D > test.ad1b63b5bebca893.dnssec-or-not.net. 36 IN CNAME test.x.ad1b63b5bebca= 893.dnssec-or-not.net. > test.ad1b63b5bebca893.dnssec-or-not.net. 36 IN RRSIG CNAME 5 4 60 2014041= 7191654 20140318191654 35475 ad1b63b5bebca893.dnssec-or-not.net. PEudHM05Qs= a7zfQtuXHSKP0n3RQttJeFa6ZE3IhYZcD1vP3ffxKDMxF0 TynSCirU2dpgI1pdW0VIwUZkkFeB= Zw7RGub2znAXqxieRqVE2pE1DGcq FAZyzy7BpvwIklBrnxidgngMdKJuXqq9ih+Kw2QrA03jFX= TWIDhC/8Wq cM0=3D > test.x.ad1b63b5bebca893.dnssec-or-not.net. 37 IN CNAME test.x.x.ad1b63b5b= ebca893.dnssec-or-not.net. > test.x.ad1b63b5bebca893.dnssec-or-not.net. 37 IN RRSIG CNAME 5 5 60 20140= 417191654 20140318191654 51156 x.ad1b63b5bebca893.dnssec-or-not.net. rfm+D0= Loe5hf3Qp6Qv6lypqlz/CXjcOqdCA3uxWnn/Sp8JBG//4bU7Kn +WZUAkz5DVnrb6Wj6j8UDVKj= KeFbNoV6ypOMZvnDVjaZiyFIjZn5OKVb /Py4IaT1aazfuO+s30ymQrtGvlrR+nrBHsziEwxCoS= FhfNLcysNsYHXL ycA=3D > test.x.x.ad1b63b5bebca893.dnssec-or-not.net. 55 IN TXT "Yes, you are usin= g DNSSEC" > test.x.x.ad1b63b5bebca893.dnssec-or-not.net. 55 IN RRSIG TXT 5 6 60 20140= 417191712 20140318191712 52056 x.x.ad1b63b5bebca893.dnssec-or-not.net. CDxb= TfIF7kD9XCZbQDNSjfnAAMkivDqKaXCVJGc1yusQuXbQqp1oWt9k chXbbv5osmkJQ60Ril113O= EC63zHght+VNyCeigJvs8blUyjRs2GTC0e smDKUamlfT4xL5nC1LlXbKp7aMCjoyg1HV8cRZvJ= FWCTKMa5DLNCjcYX 2z4=3D > > ;; AUTHORITY SECTION: > x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN NS ns1.x.x.ad1b63b5bebca893= .dnssec-or-not.net. > x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN NS ns0.x.x.ad1b63b5bebca893= .dnssec-or-not.net. > x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN RRSIG NS 5 5 60 20140417191= 712 20140318191712 52056 x.x.ad1b63b5bebca893.dnssec-or-not.net. BkGyDiDy8x= KUDQSTh01zdStU8H8FgxxTzhSnMw0tyuwg4dpPw/THlymB Ubk4a8x1p3OlrtFh2IBub2om7vg+= jxYo5joi10fX8aNgRPF3UuV+62ve CFJ2IAfvmUvKVEWouY/Yv5kvoYNGqn/imxqE7Ni0U93VW9= FuXkn1Y2tP hes=3D > > ;; ADDITIONAL SECTION: > ns0.x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN A 72.13.58.79 > ns1.x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN A 72.13.58.99 > ns0.x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN RRSIG A 5 6 60 20140417= 191712 20140318191712 52056 x.x.ad1b63b5bebca893.dnssec-or-not.net. FXg2lrS= MdJ9WV5mVgON313mCyBnRkGVZRv8BlQCNty6bKhlc12/Fpamf LMmjSy5padZm17ocqOhC6jRFa= aj+qeWjLDnArMTddqYk9ecwRTvlIpLL XNqUz/VphdWrXidfUftY8Chz/KVzJOM3FE/GDAFUAGo= RaCBLalaYDFM6 1fM=3D > ns1.x.x.ad1b63b5bebca893.dnssec-or-not.net. 54 IN RRSIG A 5 6 60 20140417= 191712 20140318191712 52056 x.x.ad1b63b5bebca893.dnssec-or-not.net. RrkstBI= GWeZ1faMrn12mUap4eGeDnY492/dFISOmP3C/Ffo9mqBQc54x ELBZ7CCyLNIPp+o25fGvS+N8N= JO5IqB2hsb+ShSqZzIGYVxCbHB8/OFN EqivXTRsygaoMXfIjIxK0IcefOSLs/MOV5PCjNjEw31= OZsq8Gp4nQLWt V4c=3D > > ;; Query time: 20 msec > ;; SERVER: 172.30.42.1#53(172.30.42.1) > ;; WHEN: Tue Mar 18 21:17:19 EET 2014 > ;; MSG SIZE rcvd: 1594 > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html