Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed
From: Aaron Wood <woody77@gmail.com>
To: David Reed <dpreed@reed.com>
Cc: dnsmasq-discuss <dnsmasq-discuss@lists.thekelleys.org.uk>,
	cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] Had to disable dnssec today
Date: Sat, 26 Apr 2014 18:20:05 +0200	[thread overview]
Message-ID: <CALQXh-Mv_WD+ya3-2awmN6bQ_wV0KeuEe0AsXKXar5KJYaGyMQ@mail.gmail.com> (raw)
In-Reply-To: <1398528012.36628423@apps.rackspace.com>

[-- Attachment #1: Type: text/plain, Size: 2337 bytes --]

David,

With two of them (akamai and cloudflare), I _think_ it's a dnsmasq issue
with the DS records for proving insecure domains are insecure.  But Simon
Kelley would know that better than I.

With BofA, I'm nearly certain it's them, or an issue with one of their
partners (since the domain that fails isn't BofA, but something else):

(with dnssec turned off):

;; QUESTION SECTION:
;sso-fi.bankofamerica.com. IN A

;; ANSWER SECTION:
sso-fi.bankofamerica.com. 3599 IN CNAME saml-bac.onefiserv.com.
saml-bac.onefiserv.com. 299 IN CNAME saml-bac.gslb.onefiserv.com.
saml-bac.gslb.onefiserv.com. 119 IN A 208.235.248.157

And it's the saml-bac.gslb.onefiserv.com host that's failing (see here for
debug info):

http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com

-Aaron


On Sat, Apr 26, 2014 at 6:00 PM, <dpreed@reed.com> wrote:

> Is this just a dnsmasq issue or is the DNSSEC mechanism broken at these
> sites?   If it is the latter, I can get attention from executives at some
> of these companies (Heartbleed has sensitized all kinds of companies to the
> need to strengthen security infrastructure).
>
>
>
> If the former, the change process is going to be more tricky, because
> dnsmasq is easily dismissed as too small a proportion of the market to
> care.  (wish it were not so).
>
>
>
> On Saturday, April 26, 2014 7:38am, "Aaron Wood" <woody77@gmail.com> said:
>
>  Just too many sites aren't working correctly with dnsmasq and using
> Google's DNS servers.
> - Bank of America (sso-fi.bankofamerica.com)
> - Weather Underground (cdnjs.cloudflare.com)
> - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net)
> And I'm not getting any traction with reporting the errors to those sites,
> so it's frustrating in getting it properly fixed.
> While Akamai and cloudflare appear to be issues with their entries in
> google dns, or with dnsmasq's validation of them being insecure domains,
> the BofA issue appears to be an outright bad key.  And BofA isn't being
> helpful (just a continual "we use ssl" sort of quasi-automated response).
> So I'm disabling it for now, or rather, falling back to using my ISP's dns
> servers, which don't support DNSSEC at this time.  I'll be periodically
> turning it back on, but too much is broken (mainly due to the cdns) to be
> able to rely on it at this time.
> -Aaron
>

[-- Attachment #2: Type: text/html, Size: 4445 bytes --]

  reply	other threads:[~2014-04-26 16:20 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-26 11:38 Aaron Wood
2014-04-26 16:00 ` dpreed
2014-04-26 16:20   ` Aaron Wood [this message]
2014-04-26 19:44     ` [Cerowrt-devel] [Dnsmasq-discuss] " Simon Kelley
2014-04-26 21:17       ` Simon Kelley
2014-04-26 23:28       ` Dave Taht
2014-04-27  2:46 ` [Cerowrt-devel] " Dave Taht
2014-05-17  3:25 ` Stephen Hemminger
2014-05-17  3:58   ` Aaron Wood

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CALQXh-Mv_WD+ya3-2awmN6bQ_wV0KeuEe0AsXKXar5KJYaGyMQ@mail.gmail.com \
    --to=woody77@gmail.com \
    --cc=cerowrt-devel@lists.bufferbloat.net \
    --cc=dnsmasq-discuss@lists.thekelleys.org.uk \
    --cc=dpreed@reed.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox