From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <woody77@gmail.com>
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com
	[IPv6:2607:f8b0:4001:c05::22a])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id D47F821F2B3
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 24 Apr 2014 05:33:20 -0700 (PDT)
Received: by mail-ig0-f170.google.com with SMTP id uq10so973121igb.1
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 24 Apr 2014 05:33:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=PcNc5tuADg2CXi5oQzX4ouRlkLfPgg2G9lDdTSwTYo4=;
	b=b0YUBO+zUfpglW0oRWwtmGf9SczBQtnGwPo2idJqu70SB7pUW54iP+rFDkEf4ZE1CR
	xXW0wiiRdOfE990xC/VGc+ldOeBGl/h2uy/PQPpbOmdl6mhM4r17BXObO5+/5lLFJ3hR
	dyZckuckCAAeIWQKfCKoI/m6z0RvtILjQ5dAekMzD0twdEk8571WDi/2wTANpGh3VQKS
	f+Xqof1/VRYuav7lb32CEvkcMW8gKc3eM8TYLjBTdozhdTv4qJCPEFOqqggNSwbia7PA
	VEcxPlPAr5v8t2QYnQxZ38GC59o8Um44FZDb+jdFdf8gRploZHSjT2gTgpBUR5Kq4ubC
	XGeQ==
MIME-Version: 1.0
X-Received: by 10.42.82.148 with SMTP id d20mr1561620icl.50.1398342800248;
	Thu, 24 Apr 2014 05:33:20 -0700 (PDT)
Received: by 10.64.238.70 with HTTP; Thu, 24 Apr 2014 05:33:20 -0700 (PDT)
In-Reply-To: <5358F53A.3050501@thekelleys.org.uk>
References: <CALQXh-NJOnjhmV9gU_C7VRMDrTDoNK=BP2PtSpnwT8erocRZwQ@mail.gmail.com>
	<CAA93jw68NwFnVaRxYS6odJ7fCtQbQSOLiYMpjWJPRwDhqB9t1w@mail.gmail.com>
	<5357E336.6070406@thekelleys.org.uk>
	<CALQXh-M5PuaPVOC-oSX4SUpYs78+VuYtPtOASV3EFAF1MDFSsA@mail.gmail.com>
	<5358F53A.3050501@thekelleys.org.uk>
Date: Thu, 24 Apr 2014 14:33:20 +0200
Message-ID: <CALQXh-N6fA-oGg6BmyZwYCAmtCLLMD0_R7QTA+9n8A8KqPZu1g@mail.gmail.com>
From: Aaron Wood <woody77@gmail.com>
To: Simon Kelley <simon@thekelleys.org.uk>
Content-Type: multipart/alternative; boundary=90e6ba613a1ee216b204f7c90d3d
Cc: dnsmasq-discuss <Dnsmasq-discuss@lists.thekelleys.org.uk>,
	cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss]  more dnssec failures
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2014 12:33:21 -0000

--90e6ba613a1ee216b204f7c90d3d
Content-Type: text/plain; charset=UTF-8

Well, I'm seeing the same results as you are from here in Paris (using
Free.fr).

-Aaron


On Thu, Apr 24, 2014 at 1:27 PM, Simon Kelley <simon@thekelleys.org.uk>wrote:

> On 24/04/14 11:49, Aaron Wood wrote:
>
> >
> >> Dnsmasq does the DS query next because the answer to the A query comes
> >> back unsigned, so dnsmasq is looking for a DS record that proves this is
> >> OK. It's likely that Verisign does that top-down (starting from the
> >> root) whilst dnsmasq does it bottom up. Hence Verisign never finds the
> >> broken DS, whilst dnsmasq does.
> >>
> >> That's as good an analysis as I can produce right now. Anyone who can
> >> shed more light, please do.
> >>
> >> (And yes, please report DNSSEC problems  on the dnsmasq-discuss list for
> >> preference.)
> >>
> >
> > This is still persisting (and it appears to be blocking a bunch of Apple
> > software update functions).  From your comments, Simon, it sounds like
> you
> > think this is an Akamai issue, and should be reported to them?
> >
>
> I'm not absolutely sure that this isn't also a dnsmasq problem, and
> DNSSEC is still capable of surprising me, but I can't see how a SERVFAIL
> answer to
>
> dig @8.8.8.8 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>
> can not be either a Google ('cause it's their recursive server) or
> Akamai problem.
>
> Poking further, it looks like the authoritative name servers for that
> zone are
>
> ; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 NS cn.akamaiedge.net
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43031
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;cn.akamaiedge.net.             IN      NS
>
> ;; ANSWER SECTION:
> cn.akamaiedge.net.      299     IN      NS      n7cn.akamaiedge.net.
> cn.akamaiedge.net.      299     IN      NS      n6cn.akamaiedge.net.
> cn.akamaiedge.net.      299     IN      NS      n0cn.akamaiedge.net.
> cn.akamaiedge.net.      299     IN      NS      n2cn.akamaiedge.net.
> cn.akamaiedge.net.      299     IN      NS      n5cn.akamaiedge.net.
> cn.akamaiedge.net.      299     IN      NS      n4cn.akamaiedge.net.
> cn.akamaiedge.net.      299     IN      NS      n3cn.akamaiedge.net.
> cn.akamaiedge.net.      299     IN      NS      n1cn.akamaiedge.net.
> cn.akamaiedge.net.      299     IN      NS      n8cn.akamaiedge.net.
>
> and all of those give sensible answers for
>
> DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>
> except n8cn.akamaiedge.net, which isn't responding, so I rather think
> this may be a Google mess.
>
> Or maybe it's Great Firewall induced breakage?
>
> Cheers,
>
>
> Simon.
>
>
>
>

--90e6ba613a1ee216b204f7c90d3d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Well, I&#39;m seeing the same results as you are from here=
 in Paris (using Free.fr).<div><br></div><div>-Aaron</div></div><div class=
=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Thu, Apr 24, 2014 at=
 1:27 PM, Simon Kelley <span dir=3D"ltr">&lt;<a href=3D"mailto:simon@thekel=
leys.org.uk" target=3D"_blank">simon@thekelleys.org.uk</a>&gt;</span> wrote=
:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"">On 24/04/14 11:49, Aaron Woo=
d wrote:<br>
<br>
&gt;<br>
&gt;&gt; Dnsmasq does the DS query next because the answer to the A query c=
omes<br>
&gt;&gt; back unsigned, so dnsmasq is looking for a DS record that proves t=
his is<br>
&gt;&gt; OK. It&#39;s likely that Verisign does that top-down (starting fro=
m the<br>
&gt;&gt; root) whilst dnsmasq does it bottom up. Hence Verisign never finds=
 the<br>
&gt;&gt; broken DS, whilst dnsmasq does.<br>
&gt;&gt;<br>
&gt;&gt; That&#39;s as good an analysis as I can produce right now. Anyone =
who can<br>
&gt;&gt; shed more light, please do.<br>
&gt;&gt;<br>
&gt;&gt; (And yes, please report DNSSEC problems =C2=A0on the dnsmasq-discu=
ss list for<br>
&gt;&gt; preference.)<br>
&gt;&gt;<br>
&gt;<br>
&gt; This is still persisting (and it appears to be blocking a bunch of App=
le<br>
&gt; software update functions). =C2=A0From your comments, Simon, it sounds=
 like you<br>
&gt; think this is an Akamai issue, and should be reported to them?<br>
&gt;<br>
<br>
</div>I&#39;m not absolutely sure that this isn&#39;t also a dnsmasq proble=
m, and<br>
DNSSEC is still capable of surprising me, but I can&#39;t see how a SERVFAI=
L<br>
answer to<br>
<br>
dig @<a href=3D"http://8.8.8.8" target=3D"_blank">8.8.8.8</a> DS <a href=3D=
"http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net" target=3D"_blank">=
e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a><br>
<br>
can not be either a Google (&#39;cause it&#39;s their recursive server) or<=
br>
Akamai problem.<br>
<br>
Poking further, it looks like the authoritative name servers for that<br>
zone are<br>
<br>
; &lt;&lt;&gt;&gt; DiG 9.8.1-P1 &lt;&lt;&gt;&gt; @<a href=3D"http://8.8.8.8=
" target=3D"_blank">8.8.8.8</a> NS <a href=3D"http://cn.akamaiedge.net" tar=
get=3D"_blank">cn.akamaiedge.net</a><br>
<div class=3D"">; (1 server found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
</div>;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 43031=
<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0<br>
<br>
;; QUESTION SECTION:<br>
;<a href=3D"http://cn.akamaiedge.net" target=3D"_blank">cn.akamaiedge.net</=
a>. =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 IN =C2=A0 =C2=A0 =C2=A0NS<br>
<br>
;; ANSWER SECTION:<br>
<a href=3D"http://cn.akamaiedge.net" target=3D"_blank">cn.akamaiedge.net</a=
>. =C2=A0 =C2=A0 =C2=A0299 =C2=A0 =C2=A0 IN =C2=A0 =C2=A0 =C2=A0NS =C2=A0 =
=C2=A0 =C2=A0<a href=3D"http://n7cn.akamaiedge.net" target=3D"_blank">n7cn.=
akamaiedge.net</a>.<br>
<a href=3D"http://cn.akamaiedge.net" target=3D"_blank">cn.akamaiedge.net</a=
>. =C2=A0 =C2=A0 =C2=A0299 =C2=A0 =C2=A0 IN =C2=A0 =C2=A0 =C2=A0NS =C2=A0 =
=C2=A0 =C2=A0<a href=3D"http://n6cn.akamaiedge.net" target=3D"_blank">n6cn.=
akamaiedge.net</a>.<br>
<a href=3D"http://cn.akamaiedge.net" target=3D"_blank">cn.akamaiedge.net</a=
>. =C2=A0 =C2=A0 =C2=A0299 =C2=A0 =C2=A0 IN =C2=A0 =C2=A0 =C2=A0NS =C2=A0 =
=C2=A0 =C2=A0<a href=3D"http://n0cn.akamaiedge.net" target=3D"_blank">n0cn.=
akamaiedge.net</a>.<br>
<a href=3D"http://cn.akamaiedge.net" target=3D"_blank">cn.akamaiedge.net</a=
>. =C2=A0 =C2=A0 =C2=A0299 =C2=A0 =C2=A0 IN =C2=A0 =C2=A0 =C2=A0NS =C2=A0 =
=C2=A0 =C2=A0<a href=3D"http://n2cn.akamaiedge.net" target=3D"_blank">n2cn.=
akamaiedge.net</a>.<br>
<a href=3D"http://cn.akamaiedge.net" target=3D"_blank">cn.akamaiedge.net</a=
>. =C2=A0 =C2=A0 =C2=A0299 =C2=A0 =C2=A0 IN =C2=A0 =C2=A0 =C2=A0NS =C2=A0 =
=C2=A0 =C2=A0<a href=3D"http://n5cn.akamaiedge.net" target=3D"_blank">n5cn.=
akamaiedge.net</a>.<br>
<a href=3D"http://cn.akamaiedge.net" target=3D"_blank">cn.akamaiedge.net</a=
>. =C2=A0 =C2=A0 =C2=A0299 =C2=A0 =C2=A0 IN =C2=A0 =C2=A0 =C2=A0NS =C2=A0 =
=C2=A0 =C2=A0<a href=3D"http://n4cn.akamaiedge.net" target=3D"_blank">n4cn.=
akamaiedge.net</a>.<br>
<a href=3D"http://cn.akamaiedge.net" target=3D"_blank">cn.akamaiedge.net</a=
>. =C2=A0 =C2=A0 =C2=A0299 =C2=A0 =C2=A0 IN =C2=A0 =C2=A0 =C2=A0NS =C2=A0 =
=C2=A0 =C2=A0<a href=3D"http://n3cn.akamaiedge.net" target=3D"_blank">n3cn.=
akamaiedge.net</a>.<br>
<a href=3D"http://cn.akamaiedge.net" target=3D"_blank">cn.akamaiedge.net</a=
>. =C2=A0 =C2=A0 =C2=A0299 =C2=A0 =C2=A0 IN =C2=A0 =C2=A0 =C2=A0NS =C2=A0 =
=C2=A0 =C2=A0<a href=3D"http://n1cn.akamaiedge.net" target=3D"_blank">n1cn.=
akamaiedge.net</a>.<br>
<a href=3D"http://cn.akamaiedge.net" target=3D"_blank">cn.akamaiedge.net</a=
>. =C2=A0 =C2=A0 =C2=A0299 =C2=A0 =C2=A0 IN =C2=A0 =C2=A0 =C2=A0NS =C2=A0 =
=C2=A0 =C2=A0<a href=3D"http://n8cn.akamaiedge.net" target=3D"_blank">n8cn.=
akamaiedge.net</a>.<br>
<br>
and all of those give sensible answers for<br>
<br>
DS <a href=3D"http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net" targe=
t=3D"_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a><br>
<br>
except <a href=3D"http://n8cn.akamaiedge.net" target=3D"_blank">n8cn.akamai=
edge.net</a>, which isn&#39;t responding, so I rather think<br>
this may be a Google mess.<br>
<br>
Or maybe it&#39;s Great Firewall induced breakage?<br>
<br>
Cheers,<br>
<br>
<br>
Simon.<br>
<br>
<br>
<br>
</blockquote></div><br></div>

--90e6ba613a1ee216b204f7c90d3d--