On Wed, Apr 23, 2014 at 5:58 PM, Simon Kelley <simon@thekelleys.org.uk>wrote:

> On 23/04/14 16:42, Dave Taht wrote:
> > I will argue that a  better place to report  dnssec  validation
> > errors is the dnsmasq  list.
> >
> > On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood <woody77@gmail.com> wrote:
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: query[A]
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net from 172.30.42.99
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: dnssec-query[DS]
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.4.4
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is BOGUS DS
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: validation result
> is
> >> BOGUS
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is 2.20.28.186
> >>
> >> This one validates via verisign, however.
> >>
>
> Something strange in that domain. Turning off DNSSEC with the
> checking-disabled bit, the original A-record query is OK


....


> Dnsmasq does the DS query next because the answer to the A query comes
> back unsigned, so dnsmasq is looking for a DS record that proves this is
> OK. It's likely that Verisign does that top-down (starting from the
> root) whilst dnsmasq does it bottom up. Hence Verisign never finds the
> broken DS, whilst dnsmasq does.
>
> That's as good an analysis as I can produce right now. Anyone who can
> shed more light, please do.
>
> (And yes, please report DNSSEC problems  on the dnsmasq-discuss list for
> preference.)
>

This is still persisting (and it appears to be blocking a bunch of Apple
software update functions).  From your comments, Simon, it sounds like you
think this is an Akamai issue, and should be reported to them?

Thanks,
Aaron