From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 9EA1721F27F for ; Sat, 26 Apr 2014 19:46:08 -0700 (PDT) Received: by mail-wg0-f51.google.com with SMTP id z12so3788520wgg.34 for ; Sat, 26 Apr 2014 19:46:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=f9zg96/LD2ISNheX2+THwPiKCSiqDnv5zMmJJL5AUyA=; b=CBe4ITR3jg0AcCjo62/sLRXkfoOxKzWGDZX7EtZI7ENoQBm/Num0YHjUL15Zmqqh94 Kwei5bfCtodZ5ZnJDSC1OAXNK/XD1Fhkk+auw5rq1tNHkkpPw0ju0Nlk2Cv1bobX1XbF PTufjSpP0lgrVQk65RBmpW3Ow/jrDPU/Qe8G/x9+RXZ+2U7cckiEQ25Wf6RkkRd+YUcq Xjqgzu97+utGCJzdCxzZwXVPozWczqlJIRCbADWic79JfTHQErbQS1fgll0Ld2DHyVmC eHkrgoNB/tdT4Q5mTLwvM7qc6iXplc7cVibuVItfwtSIJED5SWILMzLxrO1Xma2D9ywO NZ8w== MIME-Version: 1.0 X-Received: by 10.194.109.6 with SMTP id ho6mr13164761wjb.21.1398566766485; Sat, 26 Apr 2014 19:46:06 -0700 (PDT) Received: by 10.216.207.82 with HTTP; Sat, 26 Apr 2014 19:46:06 -0700 (PDT) In-Reply-To: References: Date: Sat, 26 Apr 2014 19:46:06 -0700 Message-ID: From: Dave Taht To: Aaron Wood Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: dnsmasq-discuss , cerowrt-devel Subject: Re: [Cerowrt-devel] Had to disable dnssec today X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Apr 2014 02:46:09 -0000 On Sat, Apr 26, 2014 at 4:38 AM, Aaron Wood wrote: > Just too many sites aren't working correctly with dnsmasq and using Googl= e's > DNS servers. After 4 days of uptime, I too ended up with a wedged cerowrt 3.10.36-6 on w= ifi. The symptoms were dissimilar from what has been described here - I was seeing odhcpd trying to and failing to answer requests on the wifi interfaces, which I'd = never seen in operation before (and could have been a self-induced failure by fiddling with hnetd) I have merged with openwrt head, which has some hostapd and routing fixes, as well as dnsmasq head which has some dnssec lookup fixes... and put out cerowrt-3.10.36-7. On first boot, it had problems getting anyth= ing on wifi to do dhcp. A reboot later (with multicast 9000 also disabled), a kindle that was failing to get online did. This box has also never got upstream dns servers right from the isp. I'll fiddle with the multicast thi= ng later, to see if that or the reboot fixed it. With this dnssec with dnssec-check-unsigned, once time is correct: > - Bank of America (sso-fi.bankofamerica.com) still fails. It ain't our fault it's broke. > - Weather Underground (cdnjs.cloudflare.com) succeeds. > - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net) succeeds. > http://test-ipv6.com/ don't have ipv6 capability at this location, so this succeeds. I did see it fail once on the first boot but haven't repeated it. > > And I'm not getting any traction with reporting the errors to those sites= , > so it's frustrating in getting it properly fixed. There needs to be constant network wide scanning service of some kind to detect dnssec configuration errors. > > While Akamai and cloudflare appear to be issues with their entries in goo= gle > dns, or with dnsmasq's validation of them being insecure domains, the Bof= A > issue appears to be an outright bad key. And BofA isn't being helpful (j= ust > a continual "we use ssl" sort of quasi-automated response). Cluebats are needed. > So I'm disabling it for now, or rather, falling back to using my ISP's dn= s > servers, which don't support DNSSEC at this time. I'll be periodically > turning it back on, but too much is broken (mainly due to the cdns) to be > able to rely on it at this time. don't blame you, but if we weren't beating it up, nobody would be. > > -Aaron > > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > --=20 Dave T=C3=A4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_= indecent.article