From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <woody77@gmail.com>
Received: from mail-ie0-x231.google.com (mail-ie0-x231.google.com
	[IPv6:2607:f8b0:4001:c03::231])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 27FBE21F29A
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 24 Apr 2014 03:49:59 -0700 (PDT)
Received: by mail-ie0-f177.google.com with SMTP id rl12so2075187iec.8
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 24 Apr 2014 03:49:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=Q0WpztVXBOKMNAdpvjO+fCR2Qh7FkPCnlzm6P7+HYBA=;
	b=xno+6PdPrM9AVJGj9xjSbcsZKrMPVYhH/uU9GgdnVTemdl0BzqvTaYtTJf0X7pol0u
	K8OmQ4D0T8h0f4+fDsVF44pdb7MtWAGIAv9MrhvbHM+GM6aQavyFpqOODvhQjccwA4yI
	MkCAN7kxbgtUts30EQICrmnv38ah7FJCmT43wTvvhqPht8Ff2drpodX4O0HxbBa2SAyz
	iFeqT0l3hhV+gY0U03595ItlJkrC3RC9Ij1ERJZ0AkJL8Dejo+rEc4uqN3M7olrwQ8/Q
	D0uIASWHGtjH9ElYa1H2C15+sKX546TPBn9wTGxYtkc89Lw1IE9qsY90idtg0bN+VrJ+
	N1Yg==
MIME-Version: 1.0
X-Received: by 10.42.136.130 with SMTP id u2mr896670ict.51.1398336598307; Thu,
	24 Apr 2014 03:49:58 -0700 (PDT)
Received: by 10.64.238.70 with HTTP; Thu, 24 Apr 2014 03:49:58 -0700 (PDT)
In-Reply-To: <5357E336.6070406@thekelleys.org.uk>
References: <CALQXh-NJOnjhmV9gU_C7VRMDrTDoNK=BP2PtSpnwT8erocRZwQ@mail.gmail.com>
	<CAA93jw68NwFnVaRxYS6odJ7fCtQbQSOLiYMpjWJPRwDhqB9t1w@mail.gmail.com>
	<5357E336.6070406@thekelleys.org.uk>
Date: Thu, 24 Apr 2014 12:49:58 +0200
Message-ID: <CALQXh-M5PuaPVOC-oSX4SUpYs78+VuYtPtOASV3EFAF1MDFSsA@mail.gmail.com>
From: Aaron Wood <woody77@gmail.com>
To: Simon Kelley <simon@thekelleys.org.uk>
Content-Type: multipart/alternative; boundary=90e6ba6e8c0637f7c504f7c79cd4
Cc: dnsmasq-discuss <Dnsmasq-discuss@lists.thekelleys.org.uk>,
	cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss]  more dnssec failures
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2014 10:49:59 -0000

--90e6ba6e8c0637f7c504f7c79cd4
Content-Type: text/plain; charset=UTF-8

On Wed, Apr 23, 2014 at 5:58 PM, Simon Kelley <simon@thekelleys.org.uk>wrote:

> On 23/04/14 16:42, Dave Taht wrote:
> > I will argue that a  better place to report  dnssec  validation
> > errors is the dnsmasq  list.
> >
> > On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood <woody77@gmail.com> wrote:
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: query[A]
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net from 172.30.42.99
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: dnssec-query[DS]
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.4.4
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is BOGUS DS
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: validation result
> is
> >> BOGUS
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is 2.20.28.186
> >>
> >> This one validates via verisign, however.
> >>
>
> Something strange in that domain. Turning off DNSSEC with the
> checking-disabled bit, the original A-record query is OK


....


> Dnsmasq does the DS query next because the answer to the A query comes
> back unsigned, so dnsmasq is looking for a DS record that proves this is
> OK. It's likely that Verisign does that top-down (starting from the
> root) whilst dnsmasq does it bottom up. Hence Verisign never finds the
> broken DS, whilst dnsmasq does.
>
> That's as good an analysis as I can produce right now. Anyone who can
> shed more light, please do.
>
> (And yes, please report DNSSEC problems  on the dnsmasq-discuss list for
> preference.)
>

This is still persisting (and it appears to be blocking a bunch of Apple
software update functions).  From your comments, Simon, it sounds like you
think this is an Akamai issue, and should be reported to them?

Thanks,
Aaron

--90e6ba6e8c0637f7c504f7c79cd4
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Wed, Apr 23, 2014 at 5:58 PM, Simon Kelley <span dir=3D"ltr">&lt=
;<a href=3D"mailto:simon@thekelleys.org.uk" target=3D"_blank">simon@thekell=
eys.org.uk</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"">On 23/04/14 16:42, Dave Taht=
 wrote:<br>
&gt; I will argue that a =C2=A0better place to report =C2=A0dnssec =C2=A0va=
lidation<br>
&gt; errors is the dnsmasq =C2=A0list.<br>
&gt;<br>
&gt; On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood &lt;<a href=3D"mailto:wood=
y77@gmail.com">woody77@gmail.com</a>&gt; wrote:<br>
&gt;&gt; Wed Apr 23 15:13:05 2014 <a href=3D"http://daemon.info" target=3D"=
_blank">daemon.info</a> dnsmasq[29719]: query[A]<br>
&gt;&gt; <a href=3D"http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net"=
 target=3D"_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> from=
 172.30.42.99<br>
&gt;&gt; Wed Apr 23 15:13:05 2014 <a href=3D"http://daemon.info" target=3D"=
_blank">daemon.info</a> dnsmasq[29719]: forwarded<br>
&gt;&gt; <a href=3D"http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net"=
 target=3D"_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> to 8=
.8.8.8<br>
&gt;&gt; Wed Apr 23 15:13:05 2014 <a href=3D"http://daemon.info" target=3D"=
_blank">daemon.info</a> dnsmasq[29719]: dnssec-query[DS]<br>
&gt;&gt; <a href=3D"http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net"=
 target=3D"_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> to 8=
.8.8.8<br>
&gt;&gt; Wed Apr 23 15:13:05 2014 <a href=3D"http://daemon.info" target=3D"=
_blank">daemon.info</a> dnsmasq[29719]: forwarded<br>
&gt;&gt; <a href=3D"http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net"=
 target=3D"_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> to 8=
.8.4.4<br>
&gt;&gt; Wed Apr 23 15:13:05 2014 <a href=3D"http://daemon.info" target=3D"=
_blank">daemon.info</a> dnsmasq[29719]: forwarded<br>
&gt;&gt; <a href=3D"http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net"=
 target=3D"_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> to 8=
.8.8.8<br>
&gt;&gt; Wed Apr 23 15:13:05 2014 <a href=3D"http://daemon.info" target=3D"=
_blank">daemon.info</a> dnsmasq[29719]: reply<br>
&gt;&gt; <a href=3D"http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net"=
 target=3D"_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> is B=
OGUS DS<br>
&gt;&gt; Wed Apr 23 15:13:05 2014 <a href=3D"http://daemon.info" target=3D"=
_blank">daemon.info</a> dnsmasq[29719]: validation result is<br>
&gt;&gt; BOGUS<br>
&gt;&gt; Wed Apr 23 15:13:05 2014 <a href=3D"http://daemon.info" target=3D"=
_blank">daemon.info</a> dnsmasq[29719]: reply<br>
&gt;&gt; <a href=3D"http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net"=
 target=3D"_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a> is 2=
.20.28.186<br>
&gt;&gt;<br>
&gt;&gt; This one validates via verisign, however.<br>
&gt;&gt;<br>
<br>
</div>Something strange in that domain. Turning off DNSSEC with the<br>
checking-disabled bit, the original A-record query is OK</blockquote><div>=
=C2=A0=C2=A0</div><div>....</div><div>=C2=A0</div><blockquote class=3D"gmai=
l_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left=
:1ex">
Dnsmasq does the DS query next because the answer to the A query comes<br>
back unsigned, so dnsmasq is looking for a DS record that proves this is<br=
>
OK. It&#39;s likely that Verisign does that top-down (starting from the<br>
root) whilst dnsmasq does it bottom up. Hence Verisign never finds the<br>
broken DS, whilst dnsmasq does.<br>
<br>
That&#39;s as good an analysis as I can produce right now. Anyone who can<b=
r>
shed more light, please do.<br><br>
(And yes, please report DNSSEC problems =C2=A0on the dnsmasq-discuss list f=
or<br>
preference.)<br></blockquote><div><br></div><div>This is still persisting (=
and it appears to be blocking a bunch of Apple software update functions). =
=C2=A0From your comments, Simon, it sounds like you think this is an Akamai=
 issue, and should be reported to them?</div>
<div><br></div><div>Thanks,</div><div>Aaron</div><div>=C2=A0</div></div></d=
iv></div>

--90e6ba6e8c0637f7c504f7c79cd4--